Most (if not all) legit package managers at least use checksums to reduce the chance of malicious packages getting installed; I'm not sure about others, but I believe pacman (the Arch Linux package manager) also refuses to install packages from unless you've imported the GPG key of the distributor. This isn't to say that package managers are completely safe (nothing is), but there are fairly significant differences between using a Linux package manager and piping a script from the internet to be executed.
The owner of the website could sign responses, and you could verify them, in addition to TLS via HTTPS. I think that can make it at least as secure as package management systems.
Yep, I agree. Providing checksums for scripts to curl isn't the the norm from what I've seen, though, which I think fits in with what GP (of my original comment) was saying. Also, I'm not super convinced that most users would bother verifying the checksum; from what I've seen, most people downloading Linux distro images don't even bother verifying the checksums that are provided.
That article is mixing up "is it safe to do that from us?" and "is it safe to do that?". Do it from another vendor that isn't using https and all their reassurances about the method evaporate. Simply put: the method is bad; it's only when you use a bunch of mitigating actions that it becomes 'not bad'.
As a gist, here’s a quote: