Curious, what would be an ideal (secure) approach for you to install this (or similar) tool?

The correct way would be to publish packages on a proper registry/repository and install them with a package manager. For example, create a 3rd party Debian repository, and import the config & signing key on install. It's more work, sure, but it's been the best practice for decades and I don't see that changing any time soon.

	▲	tontony 27 minutes ago \| parent [-]
		Sure, but it all boils down to trust at the end of the day. Why would you trust a third-party Debian repository (that e.g. has a different user namespace and no identity linking to GitHub) more than running something from evidently the same user from GitHub, in this specific case? I'm not arguing that a repository is nice because versioning, signing, version yanking, etc, and I do agree that the process should be more transparent and verifiable for people who care about it.

▲

rovr138 9 hours ago | parent | prev [-]

It's deploying a script, which then downloads uncloud using curl.

The alternative is, deploying the script and with it have the uncloud files it needs.