[Rubygems-developers] Trojan a RubyGems Package in 3 Easy Steps(was "Re: Need to release 0.9.1 due to security exploit")

Chad Woolley thewoolleyman at gmail.com
Wed Jan 17 16:12:15 EST 2007

Maybe we could investigate how the Maven folks handle this problem.  I
know they had to address similar security concerns related to their
central repository, and have had a few years (and a major redesign in
Maven2) to think about the problem.

-- Chad

On 1/17/07, Tom Copeland <tom at infoether.com> wrote:
> > > Hm, but that gem wouldn't be deployed on the RubyForge gem index
> > > unless it was uploaded to the rails project on RubyForge... so only
> > > folks who deliberately downloaded the gem from your project
> > area would
> > > get p0wnd...
> >
> > That's a good start, but it doesn't address the situation
> > where one of the mirrors or RubyForge itself is compromised,
> > and a malicious gem is forcibly inserted into the rotation.
> Oh, yup, you're quite right there.  I agree with your comments about gem
> signing and such too... but I'm not sure how to help make that happen...
> Yours,
> Tom
> _______________________________________________
> Rubygems-developers mailing list
> Rubygems-developers at rubyforge.org
> http://rubyforge.org/mailman/listinfo/rubygems-developers

More information about the Rubygems-developers mailing list