You can use things like dependabot or renovate to update versions in a controlled manner, rather than automatically using the latest of everything.
On the other side, when it comes to docker containers, you can use github actions or some other CI/CD system to automate the container build.
Trust and security aren’t just about protecting from malice, but also mistakes.
For example, AUR packages are basically install scripts, and there have been a few that have done crazy things like delete a users /bin — not out of any malice, but rather simple human error.
Binaries are going to be much, much less prone to these mistakes because they are in languages the creators have more experience with, and are comfortable in. Just because I trust someone to write code that runs on my computer, doesn’t mean I trust them to write an install script, especially given how many footguns bash has.
Has it been independently audited yet?
Just because I trust the authors to write good rust/javascript/etc code, doesn’t mean I trust them to write good bash, especially given how many footguns bash has.
Steam once deleted a users home directory.
But: I do agree with you. I think
curl | bashis reasonable for package managers like nix or brew. And then once those are installed, it’s better to get software like the Bun OP mentions from them, rather than fromcurl | bash.