This method makes you vulnerable to attacks that change the script being run. DNS spoofing, HTTP proxy hacking or hacking of the source server itself.
Good package management systems use digital signatures to ensure that the original package wasn't tampered with. Not that hacking of the central repositories never happened, but it's a major (and thus infrequent) event.
But I know for at least gem and npm, while they support signing, they are not used in practice. And those two repositories are used by a large number of people browsing this site.
Good package management systems use digital signatures to ensure that the original package wasn't tampered with. Not that hacking of the central repositories never happened, but it's a major (and thus infrequent) event.