The only meaningful difference between the two techniques is the extra step required to explicitly execute an installer. Is that your objection, that you don't like something being automatically executed upon download?

HTTPS, automatic installation, and UX that confounds security for end-users are my three objections to this gimmick.

I really don't see what's to object about. People who care about security can review it. People who just want it to work and don't care about security will blindly execute whatever instructions are written on the site. If the app is malicious then the latter group is screwed no matter what, doesn't matter whether it's 'curl | sh' or whether it's a .dmg/.zip/.tar.gz.

Your HTTPS suggestion makes sense, but can you explain your other two points by contrasting with "gem install"? How is the installation any more automatic? How does the UX confound security?

I was assuming HTTPS based on this thread chain, but even in practice, most installers I see aren't downloaded over HTTPS.

How does this practice confound security more than a normal installer? sudo asks for my password just as a normal installer would.

It's easier for a man in the middle to change a 15-line text script than to change a binary. Lowering that effort = increasing the odds and incidence of attempted attacks.

I request one thing, you send me something completely different. I don't see how making the "something" an ASCII script makes it easier than a random binary (and there's no requirement that the random binary has any relationship with what I requested).

Oddly, I'm more used to seeing arguments that distributing source code is better than distributing binaries because you can inspect source code.

The scenario isn't that I send you something different, but that somebody else gets in between us and tampers with the data. That's what https tries to avoid.

We're arguing levels of badness here so it's a little hokey. But if you decide to open up your machine to run arbitrary code, a machine that can run shell will arguably get more infections than one that runs executables. To infect the ladder any script kiddies will need to know a 'harder' language and at least how to compile it. It's a couple more hoops to jump through. In the other case I could drive by and do scp ~/mailbox me@myserver:

"Tampers with the data" is functionally equivalent to sending me something different. There's not requirement that it looks like what I requested at all, and as long as it will execute when double-clicked, it'll do the trick.

We're already talking about running arbitrary code on a machine, compiled versus interpreted is irrelevant. And I think you have forgotten that a script with the appropriate hash-bang and file permissions is indistinguishable to most users from a compiled executable.

Rubygems at least has a post-install hook that gem authors can execute automatically.