> I know I'm not at all the first to say this, but those "curl into sh" installers are just such terrible ideas in general, and typically inconvenient and brittle as well.
They're fine for security and super convenient. I get why it's so popular - packaging and publishing debs is often going to be a lot more work, and now you're in the world of either maintaining a package repo or having to deal with an official one.
When you set your CI/CD pipeline, creating packages, signing them and updating your repositories are all trivial tasks (been there, done that).
In this case, explicitly telling "this is my repository and this is the public key. gnupg the key, add this repository line, and get the packages" provides an end to end verified package pipeline. No .sh scripts to compromise.
If you keep your private keys on a network detached place and only plug your keys while signing stuff, things are pretty secure out of the box.
Actually it's not hard at all. All you need is a half-working build system and tar installed. You just create an additional build target and you're fine.
If you maintain the repository yourself now your setup instruction involves adding a custom apt repo, and then the installation. You also now have to handle multiple package managers, etc. A simple bootstrap script is pretty much as easy as it gets.
They're fine for security and super convenient. I get why it's so popular - packaging and publishing debs is often going to be a lot more work, and now you're in the world of either maintaining a package repo or having to deal with an official one.