It's other way around. Any method of installation is insecure by default. Moreover, hackers are able to penetrate even multi-layered security defence systems sometimes (for a short period of time). What makes this 0-security system secure?
My argument is that the install method is just piping a curl command to your shell is _no less secure_ than any other typical application install procedure, and the user experience is pretty decent.
I don't think we should be generating "loud warnings" about so called "insecure install methods" nor should we fault the Zed authors for not solving software security.
The point is that when you use a distro, you trust that distro and its maintainers. If you use the package they build for you, then you rely on this trust.
Now if you use a random script from the internet, then you don't give your distro maintainers a chance to actually review the package and instead you blindly trust this script. Arguably you increase your attack surface.
Also a system package manager checks the packages (there is signatures and stuff), whereas piping a script to curl doesn't do that at all. So if the server is compromised, you just execute random code. It's harder to compromise the system package manager.
Which is not the same thing as a signature on the package, is it?
> Distro maintainers in general do not audit the code they package.
First, it depends on the distro. Second, they certainly do at least some kind of due diligence before packaging a new project. So there is some amount of selection (which you don't find in npm, cargo or pypi).
Yes, an one 0 security installation method cannot be less secure than an other 0 security installation method. Both are insecure.
However, when source code and compilation instructions are available, an independent maintainer can verify source manually, compile it in isolation, test in it in isolation, make patches, add SELinux rules, make package, then sign the package, to produce a secure package, which can be safely consumed by end users.
