[Rubygems-developers] Trojan a RubyGems Package in 3 Easy Steps(was "Re: Need to release 0.9.1 due to security exploit")
tom at infoether.com
Wed Jan 17 11:03:26 EST 2007
> > Hm, but that gem wouldn't be deployed on the RubyForge gem index
> > unless it was uploaded to the rails project on RubyForge... so only
> > folks who deliberately downloaded the gem from your project
> area would
> > get p0wnd...
> That's a good start, but it doesn't address the situation
> where one of the mirrors or RubyForge itself is compromised,
> and a malicious gem is forcibly inserted into the rotation.
Oh, yup, you're quite right there. I agree with your comments about gem
signing and such too... but I'm not sure how to help make that happen...
More information about the Rubygems-developers