Re: Am I the only one who doesn't have wget installed?
I guess it depends on your server. I thought it was installed by most distros by default but I don't know how many people routinely use it for mirroring stuff. I tend to use wget over curl because the incantation is easier. But I might just install fetch for remote downloads.
Your point about code that isn't there can't be attacked still stands but in that case why even have an SFTPd running. Surely, the really safe thing is to be able to read the files from a remote file system under your control? Even then, can you be sure the files aren't corrupt?