[Rubygems-developers] Reviewing the Tattle Data (was RubyGems plaform thread)
Charles Oliver Nutter
charles.nutter at sun.com
Thu Apr 26 14:29:19 EDT 2007
Eric Hodel wrote:
> How exactly is it sensitive? If I'm able to run code on the box I
> can find ruby, via rbconfig.rb or traversing the filesystem. On the
> other hand, if I had a non-ruby vector for getting into your machine,
> I'm sure there's lots of other stuff I'd compromise before I got
> around to messing with your ruby installation.
I just don't like personally-identifiable information about my
filesystem layout to be published without my knowledge. Someone noisier
than me will start causing trouble for that eventually. Sure, it's not a
big deal, but it's exactly the kind of thing security folks frown on.
Also, how is this information even useful? Is there a good reason to
grab and publish the install prefix for every Ruby that tattles?
More information about the Rubygems-developers