But it's kinda funny to me that you just said "I was going to run this code on my system, until I saw some other code in the same repo, and now I refuse to run it" :D It's all the same repo, you're willing to try part of the code, but not another part of it. Completely arbitrary.
I don't quite get that argument. It's the same as the old download installer from random website, double click to run that people have been doing for decades. It only skips the download step. And it's arguably better since at least you can review the contents. When building a Go program it will also happily download stuff from github but I've seen way less complaints about that. And to be fair it's also been an infection vector, from people installing things from shady places (or reputable places but with ill-intent like installing unwanted browser toolbars, DRM rootkits ...), but it's nothing new. Same advice applies, know what you're doing, use reputable sources.
What's a better alternative ?
One day you run it, it's fine. The next day you run the same command on your machine, it installs malware. No way to tell without inspecting the script every time.
If you download an installer and it's fine, then you can run it again and it's still fine.
> What's a better alternative ?
I do not think the program really needs and installer but if one must then why not just have it under source control that way you get the benefits of git handling all the download bits and the install script being completely offline and just using cp or install commands.
you could tell the user to do this with a pithy command like `git --depth=1 clone $GITSITE/$REPO && $REPO/installer.sh && rm -R $REPO`
Hmm, why not?