[Rubygems-developers] Trojan a RubyGems Package in 3 Easy Steps(was "Re: Need to release 0.9.1 due to security exploit")

[Tom Copeland]

> > Hm, but that gem wouldn't be deployed on the RubyForge gem index 
> > unless it was uploaded to the rails project on RubyForge... so only 
> > folks who deliberately downloaded the gem from your project 
> area would 
> > get p0wnd...
> 
> That's a good start, but it doesn't address the situation 
> where one of the mirrors or RubyForge itself is compromised, 
> and a malicious gem is forcibly inserted into the rotation.

Oh, yup, you're quite right there.  I agree with your comments about gem
signing and such too... but I'm not sure how to help make that happen...

Yours,

Tom