There's no `curl | sh` going on. "curl-able" means what it says: you curl down a single docker-compose file and run `docker compose up`. You don't clone the repo and you don't pipe anything into a shell. The whole point of the project is that it ships as one compose file you can fetch and run, which is why I called it curl-able.
I'm not sure how familiar you are with Docker and Docker Compose, but this is pretty common practice when you want to let people run a whole stack from a single compose file. If you have security concerns, you can (and always should) review the compose file and the Docker images to see what they do. Everything is available in the repo. But to actually run it, one curl is enough.
Thanks for the suggestion. If you mean running the project on a "real" router with OpenWRT, then the project is not really for that purpose. OpenWRT already gives you everything you need to achieve the same thing. The idea of Mezz is that it runs on any Linux device, like a laptop or a Raspberry Pi, if you don't have a router or don't want to work with one.
I'm not sure how familiar you are with Docker and Docker Compose, but this is pretty common practice when you want to let people run a whole stack from a single compose file. If you have security concerns, you can (and always should) review the compose file and the Docker images to see what they do. Everything is available in the repo. But to actually run it, one curl is enough.
Are you familiar with the term "download"?