I think an actionable takeaway is: even if the curl/wget/whatever points to a trusted https:// domain, the page you're copying from also needs to be on a trusted https:// domain.

Even if its a trusted https:// domain, it can still be compromised. (https://blog.jquery.com/2014/09/24/update-on-jquery-com-comp...)

Always review the script first.

You trust the upstream to provide you with a safe program, but not a safe installer? That makes zero sense, and your link doesn't provide any evidence to the contrary

Yes, you are correct if the application and script are on the same domain. The link is simply an example of a major 'trusted' domain being compromised.

Absolutely.

No, but I can verify the hash of the installer before I run it though.

And who provided you with the hash?

For distro packages? Any number of alternate download sources.

But I agree with your greater point; hashes are better used as a guard against file corruption than fuckery.

If the program you want to install is included in your distribution's packages then this whole discussion is moot. We are talking about ways of installing from third-party sources.