What is exactly wrong with piping curl into bash? I'm trusting RVM anyway. As for functional package managers, I'll believe it when I see it. The reason things are brittle is that any time something in the middle of a dependency chain changes the whole chain may break. The more you freeze things, the greater chance there is to freeze up a security hole (see what is going on with Docker). So you have two choices: be ok with the freeze, or update the whole chain. In this respect I prefer the latter, and I especially prefer the way Ruby does it where, due to the global namespace, I'm forced to upgrade the gem everywhere so I end up fixing things and keeping the whole project up to date. While this seems frustrating at first, once you realize that everyone in the Ruby community is doing it, you realize that the reason it is usually painless to update your gems is because other people have fixed those other holes. What is especially nice is that you only have to remember things that are broken at T0, unlike, say, Node, where a popular nested node_module may have 10 different versions in your dependencies and you keep hitting the same bug or security hole over and over again.