@marcan most people will happily download a package tarball from a random 3rd party mirror for their distro (which even today aren't always signed, especially w/ the proliferation of 3rd party repos on Arch, Debian, Ubuntu, etc) which contains a little shell script that in all likelyhood runs as root but wrinkle their nose at curl | sh, which to me just shows that most people build their opinions about the security of things almost entirely on the perceived aesthetics. Debian still uses plain http URLs for its sources.list with no automatic https redirect on the server side