> That this is even suggested as an installation command means that they might as well strike "securely" from the tagline. For someone interested in security the foul odor that this line emits is enough to make me stop reading.

I don't know. I always think this line smacks of paternalism. For instance, plenty of projects suggest for installation something like:

  git clone https://github.com/twpayne/chezmoi/; cd chezmoi; make; sudo make install

Of course, "curl | bash" is not always preferable. Re: security, "curl | bash" may be preferable here given the superuser privileges, or the privileges required by dpkg upon install of a stray deb package. But is the implication one reads the makefile and the source code before installing when one git clones a repo, but doesn't when the instructions say pipe to bash?

I also think many are afraid to admit FOSS packaging security is mostly smoke and mirrors. Sure, it's nice re: trusting a mirror. It's nice for keeping track of packages and dependencies. But its technical security story vs "curl | bash" would seem only marginally better/worse depending on the circumstances.

Because trust is the great problem. "curl | bash" may have a smell, but it's mostly the smell of the sewer we live in.

Another question one might/should ask is -- what is the cross platform alternative? If it's "Build 10 packages for everyone," I'm not sure how happy that will make anyone. Just specifically re: this tool, imagine wanting to use it everywhere, however, you have a Mac dev laptop and your servers are a mix of Linux/FreeBSD. How much easier is it just to say "I trust chezmoi (because I would have had to trust it anyway) and 'curl | bash' is secure enough?"