[Rubygems-developers] Reviewing the Tattle Data (was RubyGems plaform thread)

Charles Oliver Nutter charles.nutter at sun.com
Thu Apr 26 14:29:19 EDT 2007


Eric Hodel wrote:
> How exactly is it sensitive?  If I'm able to run code on the box I  
> can find ruby, via rbconfig.rb or traversing the filesystem.  On the  
> other hand, if I had a non-ruby vector for getting into your machine,  
> I'm sure there's lots of other stuff I'd compromise before I got  
> around to messing with your ruby installation.

I just don't like personally-identifiable information about my 
filesystem layout to be published without my knowledge. Someone noisier 
than me will start causing trouble for that eventually. Sure, it's not a 
big deal, but it's exactly the kind of thing security folks frown on. 
Also, how is this information even useful? Is there a good reason to 
grab and publish the install prefix for every Ruby that tattles?

- Charlie


More information about the Rubygems-developers mailing list