I mean yes, it does take a whole minute to verify that the pow code repo is on 37signals' GitHub organization account and that the repo references http://pow.cx.
Although I suppose it is possible that 37signals' GitHub account was hacked and someone maliciously designed a convenient Rack server and website with the intent of targeting the lucrative Rails developer demographic, or that the package the installer downloads is an insidious 37signals trojan not built from the code at the public repo.
