[Rubygems-developers] Gems as Ruby programs (or not)?

Paul Brannan pbrannan at atdesk.com
Mon Jan 26 14:06:41 EST 2004


On Sat, Jan 24, 2004 at 09:37:39AM -0500, Chad Fowler wrote:
> At the Software MFA program I attended in Illinois recently, I was talking 
> about RubyGems with one of the other attendees and he started really 
> grilling me on why the gem files (not the specs) are Ruby programs.
> 
> He did a pretty good job of convincing me.  By the end of the 
> conversation, I couldn't really think of a good reason (that would 
> outweight the negatives--mainly security issues).
> 
> Any thoughts?  Is there some reason that I've forgotten?
> 
> Chad

When we first discussed the idea of making them Ruby programs, my
thinking was that there is no security concern, because if there really
is a trojan, it doesn't matter whether it's in the ruby code itself or
whether it's in the gem file; it will be executed either way.  Making
the gem non-executable does not eliminate the possibility of trojans.

However, I've since changed my mind; if installation happens as
superuser, but the program is run as a user, then it makes a big
difference; if the gem is non-executable; the trojan can only get user
access and not superuser access.

I'm not really even sure if it's a good idea at all to make the gems
executable; if there's a bug in the generated code at the top of the gem
file, then the gem has to be regenerated, whereas if the gem were data
and not code, only rubygems itself would need to be fixed.

Paul



More information about the Rubygems-developers mailing list