[Rubygems-developers] Need to release 0.9.1 due to security exploit

Wed Jan 17 21:36:47 EST 2007

Your message is lengthy, so forgive me if I trim too vigorously.

On Jan 17, 2007, at 16:44, Paul Duncan wrote:
> Unfortunately, the actual crypto isn't the hard part.
>
> The hard part is getting developers to adopt it.  I feel like the
> documentation is adequate, and I also posted an entry on my web site
> that has a relatively automagic gem signing blurb that can be dropped
> into a Rakefile or Gem specification.  Here it is:
>
>   http://pablotron.org/?cid=1510
>   (Ignore the first paragraph about the Rake patch and skip to the  
> later
>   bit about gem signing).

Rake::PackageTask and Hoe are your vectors here.  If the change is  
that small, I can put it into Hoe.

Actually, why can't RubyGems just look in ~/.gemrc for these things?   
Makes for one less step, and will work right around PackageTask and Hoe.

> Another "hard" aspect is trust (I alluded to this in the paragraph you
> quoted above).  Specifically, how can a user be sure a particular
> certificate (or public key) is associated with the author of a given
> gem?
>
> So, in order for a RubyGems end user to "trust" a package, we need
> either an established X.509 PKI trust hierarchy (including pre- 
> packaged,
> root issuing certificates, some sort of security policy, and  
> preferrably
> a CRL distribution point and OCSP responder as well) or a bridge to
> PGP's web of trust.

I think you're the expert here, how do we get any of this going?   
Which is best?

> Obviously this is more work than most gem authors should be  
> expected to
> do, which is why it'd be nice to have the aforementioned trust  
> mechanism
> in place.  Even something as simple as a button to upload your signing
> key(s) to RubyForge and an ominous-sounding warning from RubyGems when
> installing unsigned gems would be better what we've got now, which is
> nothing.

> PS. I don't usually toot my own horn, but if you're still reading this
> far and find this kind of stuff interesting, there are a couple
> additional posts I've written in the last week or so that deal with
> security, identity, and trust. The posts are available at the  
> following
> URLs:
>
>   http://programming.reddit.com/info/xqnp/comments/cxt6j
>   http://programming.reddit.com/info/xqnp/comments/cxtrj
>   http://hellojoseph.com/298/setting-up-apache-ssl-encryption- 
> should-not-be-this-complicated
>   (for the last one, scroll down to see my response to Sean's post)
>
> -- 
> Paul Duncan <pabs at pablotron.org>        OpenPGP Key ID: 0x82C29562
> http://www.pablotron.org/               http://www.paulduncan.org/
> _______________________________________________
> Rubygems-developers mailing list
> Rubygems-developers at rubyforge.org
> http://rubyforge.org/mailman/listinfo/rubygems-developers

-- 
Eric Hodel - drbrain at segment7.net - http://blog.segment7.net

I LIT YOUR GEM ON FIRE!