[Rubygems-developers] More work on the remote installer
Hugh Sasse Staff Elec Eng
hgs at dmu.ac.uk
Wed Dec 1 10:03:24 EST 2004
On Wed, 1 Dec 2004, Jim Weirich wrote:
> My plan is to update the site-wide file if the current user has write access
> to it. Otherwise update the user specific file. Both of these updates would
> be from the downloaded information. I would not update the site-wide file
> with info from the user.
> However, the user could specifically update his own copy manually. I'm not
> sure I understand your concern over a DOS (Denial of Service ... right?)
> attack based on a hacked cache file. These cache files are merely hashes
> that map source and gem names into gemspecs for searching purposes. If the
> cache file is incorrect, it would mean that the gem command would attempt to
> grab a version of a gem from the server that might not be there (or tell you
Which would be an inconvenience but, ...
> it can't find a gem that really is there) Could you expand on your concerns
... that is the kind of thing I was thinking of. One student could
disrupt another's work if he knew her work depended on a gem he
wasn't using. She'd not be able to get the updates she neeeds, etc.
But since you aren't doing this it is irrelevant now.
> about DOS attacks. Thanks.
More information about the Rubygems-developers