[Rubygems-developers] More work on the remote installer

Hugh Sasse Staff Elec Eng hgs at dmu.ac.uk
Wed Dec 1 10:03:24 EST 2004


On Wed, 1 Dec 2004, Jim Weirich wrote:

>
> My plan is to update the site-wide file if the current user has write access
> to it.  Otherwise update the user specific file.  Both of these updates would
> be from the downloaded information.  I would not update the site-wide file
> with info from the user.

OK.
>
> However, the user could specifically update his own copy manually.  I'm not
> sure I understand your concern over a DOS (Denial of Service ... right?)
> attack based on a hacked cache file.  These cache files are merely hashes
> that map source and gem names into gemspecs for searching purposes.  If the
> cache file is incorrect, it would mean that the gem command would attempt to
> grab a version of a gem from the server that might not be there (or tell you

Which would be an inconvenience but, ...

> it can't find a gem that really is there)  Could you expand on your concerns

... that is the kind of thing I was thinking of.  One student could
disrupt another's work if he knew her work depended on a gem he
wasn't using.  She'd not be able to get the updates she neeeds, etc.
But since you aren't doing this it is irrelevant now.

> about DOS attacks.  Thanks.
>

         Thank you,
         Hugh


More information about the Rubygems-developers mailing list