If you don’t trust the authors, don’t install it (duh).

Just because I trust the authors to write good rust/javascript/etc code, doesn’t mean I trust them to write good bash, especially given how many footguns bash has.

Steam once deleted a users home directory.

But: I do agree with you. I think curl | bash is reasonable for package managers like nix or brew. And then once those are installed, it’s better to get software like the Bun OP mentions from them, rather than from curl | bash.

Trust and security aren’t just about protecting from malice, but also mistakes.

For example, AUR packages are basically install scripts, and there have been a few that have done crazy things like delete a users /bin — not out of any malice, but rather simple human error.

Binaries are going to be much, much less prone to these mistakes because they are in languages the creators have more experience with, and are comfortable in. Just because I trust someone to write code that runs on my computer, doesn’t mean I trust them to write an install script, especially given how many footguns bash has.

Steam once deleted someone’s home directory.