[Rubygems-developers] RubyForge Security/Release question
Richard Kilmer
rich at infoether.com
Mon Mar 15 10:18:36 EST 2004
All,
I have a script that can run that will check all the files released on
RubyForge (gForge) and when it finds a .gem file it is copied into the
gems repository. The problem is this. Any project can release a file
with any gem name. So, if I wanted to break the Rake project I could
(under Jabber4r) release a file/gem named: rake-0.2.1.gem which would
then be copied over the existing rake-0.2.1.gem in the global repo. Of
course, we would know who released that file (project/user) and could
hammer them, but that is after the fact. Anyone have an idea on how we
could solve this? Limiting the person who could release a gem of some
known name?
Perhaps base it on email rather than gforge's file release? Then if
you emailed a gem (say jabber4r-0.7.0) it would check to see if a gem
of that name exists, and if so, which email address is the first one
from, and if not, adding that email address as the 'author/updater' of
that gem?
Let me know your thoughts.
-rich
More information about the Rubygems-developers
mailing list