[static_typed]

I think the overall points raised help shape the bigger conversation about the current state and implementation of Ruby Gems.

Who built your Gem? How do you verify that still holds? You may trust developer A who released a nice Gem, but what about when he pulls in a dependency, that pulls in another dependency, and suddenly you have gems from developer B, who loves to stick a Yaml parser out there for all to compromise.

The whole design needs a rethink.

[Xylakant]

But isn't that a problem where no good solutions exist? We share code to reuse code. If we insist to allow only one level of dependencies, then we restrict code reuse which is bad in other ways: you promote reimplementation of functionality, more often bad than good.