Is the issue with telling people to pipe URL output into bash? Or is the issue with any distribution method that isn't flatpak or something similarly privilege-limited?
I see how flatpak is an improvement, but I don't see how piping into bash is any worse than "install this .deb file / npm package / pip package." If the package author wanted to do something malicious, it's just as easy (if not easier) to put the malicious code in the package itself rather than a bash installer for the package.
If the installer is a precompiled binary, not much, though this is mostly a Windows-ism these days.
If we're considering the same batch script: You can read it,it before running and be sure that the endpoint doesn't dynamically give you different results depending on how you fetch it.
In either case, the proposal here was flatpak, which does provide security benefits like sandboxing.
If you trust the author of tool you are installing and the installer is by the same author, then why wouldn't you trust the installer too?
> It's 100% trivial to have it run rm or shred on all files you have access to while simultaneously printing correct looking install progress messages.
