This is a security red herring that as far as I can see is justified entirely by an aesthetic preference to think of oneself as "able to quickly audit code just by skimming it."
Compare it to alternatives like "gem install NAME_ANY_GEM_HERE", which also executes arbitrary code and which, for the typical Ruby/Rails developer, is totally impenetrable. (If you think otherwise, tell me, when's the last time you did a line-by-line audit of every single dependency prior to installing a gem?)
Even the embedded assumptions like e.g. the Rubygems server is, as of this instance, being operated by Rubygems and not being operated by The Adversary are really, really tenuous.
Compare it to alternatives like "gem install NAME_ANY_GEM_HERE", which also executes arbitrary code and which, for the typical Ruby/Rails developer, is totally impenetrable. (If you think otherwise, tell me, when's the last time you did a line-by-line audit of every single dependency prior to installing a gem?)
Even the embedded assumptions like e.g. the Rubygems server is, as of this instance, being operated by Rubygems and not being operated by The Adversary are really, really tenuous.