>> Attacks like this are not helped by the increasingly-common "curl | bash" installation instructions ...

> It's not really any different than downloading a binary from a website, which we've been doing for 30 years.

The two are very different, even though some ecosystems (such as PHP) have used the "curl | bash" idiom for about the same amount of time. Specifically, binary downloads from reputable sites have separately published hashes (MD5, SHA, etc.) to confirm what is being retrieved along with other mechanisms to certify the source of the binaries.