Now GM 0.8 support also @required and @resource meta-data, but if somebody will include some resources in a script, he has to host them else where. It would be nice if when you upload a script you can also include the resource files.
It would be also nice if the @require and @resource files are listed together with the script information, for example under the "view script source" link. This only for transparency to the users, at least they'll know if a script install other files.

You have a point there.

If your including a library made by a third party (like jQuery or Prototype for example) and it's
possible to point the @require tag to their official release, then I personally think it would be a
better idea to point it there. That should be the safes source to get the required script from in
my opinion.

It would be a lot easier to hide some malicious code if it where added to one of those libraries
and uploaded along with the userscript. The longer the script the easier it is to miss and I guess
that it's easier to choose if your accepting the library author then it is to read the whole required
script.

A clear warning say that the script is including other script or remote resources will probably be
a good thing thou. That way your less likely to miss that the script does it.

But if you have written the including script by yourself then your idea sounds great :-)

I agree that longer scripts are harder to check for malicious code in. However, I still advocate that you can and should make your script self sufficient; that is, you should include the library or libraries in your code. It isn't worth it to have to hit some poor guy's site every time you visit a page that isn't his (I understand that bandwidth can be expensive). Further, if he changes the code, all of your users are out of luck.

As for the malicious code argument, I'd say that you're trusting the author regardless of the size of the script, and further that a remote code library is a bigger security hole as it may change to something malicious without the script author's knowledge. Either way, it's important for users to understand and accept the risks of installing code on their computers that is of dubious origin. There are users on this forum whose scripts I would download and use without looking at the source (ok, that's a lie, I always look at the source, but I'd check some author's scripts less thoroughly than others). Everyone else I check before installing a script, or I just take the idea of the script and write it myself.

-Joel

It isn't worth it to have to hit some poor guy's site every time you visit a page

I think you misunderstand how @resources and @required files work. GreaseSpot says that Greasemonkey looks for these once only, when the script is first installed, and stores them in a subfolder with your script. It doesn't fetch them every time the script activates, nor does it reload them when the script is updated, unless the updated version uses new ones with new filenames.

Please excuse me while I extract my foot from my mouth; it seems to be rather firmly lodged there. I've been out of the loop for a while. It does appear that these resources are obtained once and saved locally.

However, I still think it's a better idea to keep the scripts self-contained, but that could be considered personal preference.

-Joel