I agree, they should use SSL (and don't use a URL shortener, which they don't, but I've seen before).
Ideally it would download a file from Github too, that way you can be sure it's coming straight from the publicly visible open source repo, and you can audit if you want.
But I think the general outrage over this technique is overblown.
