Both post-install scripts and curl|bash scripts are just scapegoats of supply chain security with similar faulty reasoning.