You're right but this is just kind of a nit-pick. It should be up to the user to decide if they trust the source. The way I see it, it all comes down to the question of do you trust the source. If the source is trustworthy from there you've got to worry about an attacker compromising your trusted source. That happens and it sucks but its life and I for one am not going to stop `gem install`ing and `curl`ing because Rubygems.org was compromised once or some other source was tampered with.
I know my sources, I trust them. If they're compromised and they take me down with them, I'm going to cry a little but it's not like I'm working on a nuclear reactor - I'm making some shit CRUD app. Now as the importance of a codebase increases the kind of attitude like I have should decrease of course.
> "I'm going to cry a little but it's not like I'm working on a nuclear reactor"
Great for you, but you're a developer who presumably works on 'shit CRUD apps' for other people who pay you for the effort.
What happens when a script from a compromised source that you run on your devbox grabs the entire contents of ~/.ssh/ and sends it to the bad guys inbox? Congratulations, all your clients have been thoroughly owned.
I know my sources, I trust them. If they're compromised and they take me down with them, I'm going to cry a little but it's not like I'm working on a nuclear reactor - I'm making some shit CRUD app. Now as the importance of a codebase increases the kind of attitude like I have should decrease of course.