> That rustup itself could be in repos and still work
So surely you acknowledge that rustup not being in any given distro's repo isn't something that the Rust developers have control over? How do you expect the Rust devs to distribute the compiler? If you want to build from source, that's extremely easy. For people who want convenient binaries, Rust also offers binaries via the most convenient means available, which is curl-to-bash. This isn't a security flaw any more than running the compiler itself is.
This is probably the key idea in this specific context: the tool you're downloading is a compiler. If you don't trust the bash script hosted by the compiler's creators (assuming you're properly certificate-checking the curl connection and not bypassing TLS), why would you trust the compiler binary it's trying to install?
I trust Debian to vet and package things in a way that won't break my desktop. I don't trust the Rust organization because their goals are very different.
I'm not sure how that's relevant for rust. I'm trying to think of a way they could distribute the rust toolchain that would break your desktop; does your desktop have a native rust install that other pieces of the distro are relying on to have a particular configuration (like the gcc most distros ship with) that a curl | bash installed toolchain would interfere with?
>you acknowledge that rustup not being in any given distro's repo isn't something that the Rust developers have control over
The lack is a consequence of the type of language rust developers chose to be. One that is constantly, rapidly (over just a few months) changing itself in forwards incompatible ways. Other languages don't really have this problem. Even c++ you only have breaking changes every 3-4 years which can be handled by repos. But 3 months old rustc in $distro repos is already fairly useless. Not because rust is a bad language, but because the types of people that write in rust are all bleeding edge early adopters and always use $latest when writing. In another decade or so when the rust developer demographics even out a bit it will probably be okay.
rustup is available on plenty of distros now, and it's on homebrew in macOS.
The Rust docs should really offer installation methods other than curl | sh. Not from a security standpoint (I think that's nonsense) but I just don't like polluting my system with random stuff that is not managed by a package manager.
Edit: Yes, there is an "other installation methods" link, but the text makes it sound like it is only applicable for Windows.
So surely you acknowledge that rustup not being in any given distro's repo isn't something that the Rust developers have control over? How do you expect the Rust devs to distribute the compiler? If you want to build from source, that's extremely easy. For people who want convenient binaries, Rust also offers binaries via the most convenient means available, which is curl-to-bash. This isn't a security flaw any more than running the compiler itself is.