"curl ... | sh" is absolutely fine. If you want to complain about something, complain about the fact that the URL being used is an http URL instead of an https one.
If you want to complain about something, complain about the completely pointless fragmentation of the Linux ecosystem that pretty much mandates "curl|bash" to ship software for "Linux."
The problem is tools -- plural. Users think "I have Linux, where do I get the Linux version?" You have to provide arcane instructions for how to add a package repository on Every. Single. Linux. Distribution.
Or you can script it and users can run a command. Still painful, but less so for the user.
As far as the distributions themselves go: they are harder to get software into than the Apple App Store. The rules are arcane and the docs either barely exist or are on wikis that have not been updated in over a decade. The whole process is unnecessarily arcane beyond belief.
"curl | sh" is not in itself any less secure than "npm install" or "go get", but it is often a good indicator of a project that takes usability more seriously than security. IMO, it's also seen as "the new way" to do installs, and implies a lack of respect for the fodgy old way to do things (e.g. with a package manager).
> … is not in itself any less secure … takes usability more seriously than security.
You're contradicting yourself. If it's not any less secure, then how does using it mean you're not taking security securely? And you're also treating usability as if it's not important, when in fact usability is very nearly the most important part. If your software isn't usable, then nobody will use it, and if nobody is using it then it doesn't matter how secure it is.
Many of these scripts actually install through package managers, dockers curl | sh like a year or two ago basically just set up an apt repo and ran some apt commands. I think the hurdle they're gunning for is having X number of distro targets and the explanation cost for a user that just wants to jump in.
