[Rubygems-developers] Reviewing the Tattle Data (was RubyGems plaform thread)

Eric Hodel drbrain at segment7.net
Thu Apr 26 15:53:07 EDT 2007


On Apr 26, 2007, at 11:29, Charles Oliver Nutter wrote:
> Eric Hodel wrote:
>> How exactly is it sensitive?  If I'm able to run code on the box I
>> can find ruby, via rbconfig.rb or traversing the filesystem.  On the
>> other hand, if I had a non-ruby vector for getting into your machine,
>> I'm sure there's lots of other stuff I'd compromise before I got
>> around to messing with your ruby installation.
>
> I just don't like personally-identifiable information about my
> filesystem layout to be published without my knowledge. Someone  
> noisier
> than me will start causing trouble for that eventually. Sure, it's  
> not a
> big deal, but it's exactly the kind of thing security folks frown on.
> Also, how is this information even useful? Is there a good reason to
> grab and publish the install prefix for every Ruby that tattles?

$ tattle -h
Usage:
tattle report # Print config data without sending
tattle post # Post config data (this is the default)



More information about the Rubygems-developers mailing list