My opinion is this: anything downloaded from anywhere is suspect if you really want to be extremely scrutinizing...what about rubycookbook? Are you going to carefully scrutinize every line of code to make sure there's nothign malicious in there? for small snippets sure, but as modules get bigger, no way...what about RAA? Don't people download code from there and use it daily? I agree that security is important, but bottom line, we're not seeking to do anything really different here...i understand there's inherent danger in autoloading something from the web and running it, but is it that different from downloading, moving to a directory, then using it if you're not going to scan through it? Security is certainly important but you'll never reach 100% safety... Jack > No, that's not true. I'm entirely sure it's not sufficient. I can think of > many, many ways to crock this. You're counting on the remote keyserver > being trustworthy (they aren't), DNS being trustworthy (it isn't), that the > signing entity is trustworthy (they aren't), and that the source you're > fetching is safe to use sight unseen (it isn't). Sorry, I must be missing something or just be mad, because I installed my Debian from scratch from the net. If they can guarantee the integrity of a distribution, moreover downloaded over http with no notion of keys or such, I guess it should be possible to guarantee the integrity of a code library, should it not? > Yeah, these are all potential issues when installing any chunk of code from > the net, but at least with a manual install you have a chance to check > things out even if you choose not to. With automagic loading, you take all > the potential checks out of the process. ``apt-get program-name'' does not give very much to check. ;-) Massimiliano