A glance inside their shell script shows they don't protect against something as simple as a broken connection. Because curl | bash is vulnerable to partial execution.
For the inner downloads in the script, they use the -fsSL flags, which would protect against such broken behaviour. But not their use-facing script.
then unzips and links it to PATH. No checking the source isn't corrupt, no checking if the tar archive successfully expands. (And the var GOOS seems to depend on an environment variable I don't think is guaranteed to exist. It certainly doesn't on my Mac.)
If that's the case... Why not just provide a download link? It won't have the same issue as a broken install if the connection drops, and is just as easy. The only technical bit, linking to PATH, is something the end audience could be expected to know.
For the inner downloads in the script, they use the -fsSL flags, which would protect against such broken behaviour. But not their use-facing script.
More to the point, the install just downloads:
https://get.please.build/${GOOS}_amd64/${VERSION}/please_${V...
then unzips and links it to PATH. No checking the source isn't corrupt, no checking if the tar archive successfully expands. (And the var GOOS seems to depend on an environment variable I don't think is guaranteed to exist. It certainly doesn't on my Mac.)
If that's the case... Why not just provide a download link? It won't have the same issue as a broken install if the connection drops, and is just as easy. The only technical bit, linking to PATH, is something the end audience could be expected to know.