`curl | bash`: Trust as a privilege?

We often hear that using curl | bash is insecure. That no one should ever pipe remote scripts directly into a shell. And yet… the biggest open source projects do it all the time.

Docker installs with curl | sh.
nvm, oh-my-zsh, Homebrew – all follow the same pattern.
And we trust them.

Why? Because they’re popular? Because they have a logo?
Because their websites look professional?

Meanwhile, smaller projects are held to a different standard. They are questioned, scrutinized, distrusted – even when their scripts are safer, simpler, and better documented. They are told to “do things properly,” while giants are allowed to bypass all that with a link and a one-liner.

This raises a fundamental question:
Is trust in open source earned through values – or granted through dominance?

In theory, trust should be based on transparency, clarity, and alignment with shared principles.
In practice, it often feels like a reward for popularity.

It’s worth asking ourselves:
Are we building an open ecosystem, or just replicating old hierarchies under a new name?

Personally, I want to commit to defending the right for everyone to be perceived as trustworthy — not just those who can afford to promote this practice as acceptable for their own installations.

Either this is a right for all, or it should be a privilege for none.
We owe it to the spirit of open source to make trust something you earn through integrity, not something you inherit through visibility.

Addendum: The GitHub Raw URL Illusion

Some developers respond to concerns about curl | bash by saying:
“It’s okay, the script is hosted on GitHub.”

But let’s pause for a moment: what does that actually mean?

GitHub is a platform. It hosts everything — good code, bad code, malicious code. The raw URL is not a guarantee of safety. It’s not a signature. It’s not a review. It’s just a convenient way to shift the burden of trust onto a brand name that happens to be owned by Microsoft.

By saying “just trust the raw GitHub URL”, we’re not solving the issue. We’re outsourcing our credibility.
We’re saying: “You don’t need to trust me, trust GitHub.”

That’s not security. That’s just branding.

And more importantly: it reinforces an unjust system where trust belongs to platforms, not people.

If we allow this shortcut for some, it must be available to all — or to none.
Otherwise, we are simply rewarding visibility and centralization, and punishing independence and transparency.

This is an interesting point. I think the fact that this means of installation exists highlights a gap in the means by which we package and install and manage software with a large number of existing distros to package for. It’s also non-ideal when we want to remove software, as when things are installed by a script, there isn’t always an easy uninstallation script. (That’s before we even get to the potential risk of putting random binaries in random places in the filesystem)

The growing prevalence of atomic linux distros also makes these scripts more and more unreliable.

For desktop apps we already have flatpak as a mostly reliable means of “click a button and the software will install (more or less securely) on (almost) any linux distro”, but for daemons and cli apps we still don’t have something comparable. As I see it, that’s the gap we have.