--PNTmBPCT7hxwcZjr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Nov 03, 2005 at 02:57:08AM +0900, Adam Sanderson wrote: > Doesn't putting the hash in kind of defeat the purpose? If you know > exactly what the file should look like, you've probably downloaded it > already... and now it's local. Yes. But you could salvage the situation with PKI. So you'd specify a public key to trust, perhaps by fingerprint: require 'http://foo', 'A5EA B010 448C D0B9 FD2A 287C 9E15 33D7 5A7D 3120' And require would fail unless the code is properly signed. -Ed --PNTmBPCT7hxwcZjr Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDaQU7nhUz11p9MSARAqptAKDH1Sik/XthRlIUeByZ4U53vXwOhwCguov3 2oLHpJ/gCKK5ZcrO1r/XgaQ�xs -----END PGP SIGNATURE----- --PNTmBPCT7hxwcZjr--