[Rubygems-developers] Trojan a RubyGems Package in 3 Easy Steps(was "Re: Need to release 0.9.1 due to security exploit")
tom at infoether.com
Wed Jan 17 13:42:34 EST 2007
> > Hm, but that gem wouldn't be deployed on the RubyForge gem index
> > unless it was uploaded to the rails project on RubyForge... so only
> > folks who deliberately downloaded the gem from your project
> area would
> > get p0wnd...
> How does that work, Tom? PDF::Writer's gem is pdf-writer but
> is on the ruby-pdf project. Transaction::Simple is (I
> believe) transaction-simple, but the project name is
> trans-simple (stupid 15 character project name limit).
Right, because it's a namespace thing. The first project to "stake a
claim" wins. So you could release an asteroids-0.1.gem on your project,
and then no one else could release an asteroids gem.
More information about the Rubygems-developers