Comment by ajanuary

The argument is predicated in the assumption that some subset of people are checking the installer before running it, whether that installer be a shell script or a binary package.

With the binary packages you don’t have any way to tell if the consumer is going to inspect it or not, so even if you send the malicious code to only a subset of people, there is a risk of detection.

The technique in the post allows you to distribute the malicious code only to people who aren’t inspecting it with a much higher success rate.

Personally I’m dubious that anyone is inspecting any installers with enough expertise and scrutiny to protect the rest of us, so the differences between the install methods in this regard are negligible.