[Rubygems-developers] RubyForge Security/Release question

Richard Kilmer rich at infoether.com
Mon Mar 15 10:18:36 EST 2004


I have a script that can run that will check all the files released on 
RubyForge (gForge) and when it finds a .gem file it is copied into the 
gems repository.  The problem is this.  Any project can release a file 
with any gem name.  So, if I wanted to break the Rake project I could 
(under Jabber4r) release a file/gem named: rake-0.2.1.gem which would 
then be copied over the existing rake-0.2.1.gem in the global repo.  Of 
course, we would know who released that file (project/user) and could 
hammer them, but that is after the fact.  Anyone have an idea on how we 
could solve this?  Limiting the person who could release a gem of some 
known name?

Perhaps base it on email rather than gforge's file release?  Then if 
you emailed a gem (say jabber4r-0.7.0) it would check to see if a gem 
of that name exists, and if so, which email address is the first one 
from, and if not, adding that email address as the 'author/updater' of 
that gem?

Let me know your thoughts.


More information about the Rubygems-developers mailing list