My big problem with it is uninstallation. If I ever want to remove the program, I have to 1. Hope that the author published an uninstall.sh, or 2. examine the install.sh to see where it spams all its files to and remove them manually. This seems like a major step backwards from package managers.

You're blind-trusting someone to run stuff in the context of your terminal. Sure, it's similar to an installer but the author of the script can also manipulate the script at any time.

One day you run it, it's fine. The next day you run the same command on your machine, it installs malware. No way to tell without inspecting the script every time.

If you download an installer and it's fine, then you can run it again and it's still fine.

I don't think the go module system is great but I am not sure if any programming gets it right and all suffer from many issues, but go has the go.mod and it is easy to see what dependencies are being used both direct and indirect and the user can filter and look though these packages and pin them until they have eyeballed updates to the git repo. I don't feel the most comfortable with it but the whole `curl | sh` is so terrible, no signing no, way of knowing about the integrity of the installer.

> What's a better alternative ?

I do not think the program really needs and installer but if one must then why not just have it under source control that way you get the benefits of git handling all the download bits and the install script being completely offline and just using cp or install commands.

you could tell the user to do this with a pithy command like `git --depth=1 clone $GITSITE/$REPO && $REPO/installer.sh && rm -R $REPO`

[dead]