Firstly, it is much, much easier to compromise the website hosting than the binary itself, usually. Distributed binaries are usually signed by multiple keys from multiple servers, resulting in them being highly resistant to tampering. Reproducible builds (two users compiling a program get the same output) make it trivial to detect tampering as well.

Yeah this is a fair call.

But at the same time, I have little confidence in my ability to spot these bugs.

This is the key thing for me. I am not likely to spot any issues even if they were there! I’d only be scanning for external connections or obviously malicious code, which I do when I don’t have as much trust in the source.

As a sidenote, docker doesn’t recommend their install script anymore.

Yeah I used it as an example because there are very few times I ever remember piping to bash, but that’s probably the most common one I have done in the past.