[Rubygems-developers] Trojan a RubyGems Package in 3 Easy Steps(was "Re: Need to release 0.9.1 due to security exploit")

Tom Copeland tom at infoether.com
Wed Jan 17 13:42:34 EST 2007

> > Hm, but that gem wouldn't be deployed on the RubyForge gem index 
> > unless it was uploaded to the rails project on RubyForge... so only 
> > folks who deliberately downloaded the gem from your project 
> area would 
> > get p0wnd...
> How does that work, Tom? PDF::Writer's gem is pdf-writer but 
> is on the ruby-pdf project. Transaction::Simple is (I 
> believe) transaction-simple, but the project name is 
> trans-simple (stupid 15 character project name limit).

Right, because it's a namespace thing.  The first project to "stake a
claim" wins.  So you could release an asteroids-0.1.gem on your project,
and then no one else could release an asteroids gem.



More information about the Rubygems-developers mailing list