[Rubygems-developers] Need to release 0.9.1 due to security exploit
drbrain at segment7.net
Wed Jan 17 21:36:47 EST 2007
Your message is lengthy, so forgive me if I trim too vigorously.
On Jan 17, 2007, at 16:44, Paul Duncan wrote:
> Unfortunately, the actual crypto isn't the hard part.
> The hard part is getting developers to adopt it. I feel like the
> documentation is adequate, and I also posted an entry on my web site
> that has a relatively automagic gem signing blurb that can be dropped
> into a Rakefile or Gem specification. Here it is:
> (Ignore the first paragraph about the Rake patch and skip to the
> bit about gem signing).
Rake::PackageTask and Hoe are your vectors here. If the change is
that small, I can put it into Hoe.
Actually, why can't RubyGems just look in ~/.gemrc for these things?
Makes for one less step, and will work right around PackageTask and Hoe.
> Another "hard" aspect is trust (I alluded to this in the paragraph you
> quoted above). Specifically, how can a user be sure a particular
> certificate (or public key) is associated with the author of a given
> So, in order for a RubyGems end user to "trust" a package, we need
> either an established X.509 PKI trust hierarchy (including pre-
> root issuing certificates, some sort of security policy, and
> a CRL distribution point and OCSP responder as well) or a bridge to
> PGP's web of trust.
I think you're the expert here, how do we get any of this going?
Which is best?
> Obviously this is more work than most gem authors should be
> expected to
> do, which is why it'd be nice to have the aforementioned trust
> in place. Even something as simple as a button to upload your signing
> key(s) to RubyForge and an ominous-sounding warning from RubyGems when
> installing unsigned gems would be better what we've got now, which is
> PS. I don't usually toot my own horn, but if you're still reading this
> far and find this kind of stuff interesting, there are a couple
> additional posts I've written in the last week or so that deal with
> security, identity, and trust. The posts are available at the
> (for the last one, scroll down to see my response to Sean's post)
> Paul Duncan <pabs at pablotron.org> OpenPGP Key ID: 0x82C29562
> http://www.pablotron.org/ http://www.paulduncan.org/
> Rubygems-developers mailing list
> Rubygems-developers at rubyforge.org
Eric Hodel - drbrain at segment7.net - http://blog.segment7.net
I LIT YOUR GEM ON FIRE!
More information about the Rubygems-developers