[Rubygems-developers] Executing code after installing gem

Luis Lavena luislavena at gmail.com
Tue Nov 25 11:43:46 EST 2008

On Tue, Nov 25, 2008 at 2:34 PM, Berger, Daniel <Daniel.Berger at qwest.com> wrote:
>> -----Original Message-----
>> From: rubygems-developers-bounces at rubyforge.org
>> [mailto:rubygems-developers-bounces at rubyforge.org] On Behalf
>> Of Charlie Savage
>> Sent: Tuesday, November 25, 2008 9:29 AM
>> To: rubygems-developers at rubyforge.org
>> Subject: Re: [Rubygems-developers] Executing code after installing gem
>> > RubyGems is not designed for arbitrary code execution,
>> which will be a
>> > security concern.
>> Except it already does by letting a developer specify a
>> Rakefile in spec.extensions.  That's how I hacked around
>> RubyGems to correctly install dependent dlls into the lib directory.
>> Not to mention the fact that once I have my gem installed, it
>> can pretty much do what it wants.
> Interesting.
> Maybe we should provide a builtin hook for a post installation task on
> the condition that the gem is signed?
> Just a thought.

This was discussed previously in the list back in 2006/2007 and no
positive value was gained at that time.

Will be very helpful to lot of gems, but at the same time package
maintainers from debian / ubuntu could object about it (which they
already do).

The thing is that due the given sudo power during gem installation,
the build process runs as sudo, not as normal user, so the extconf.rb
has all the power to do nasty things.

I'm personally not fond to allow more than what we already do as side effect.

Luis Lavena
Human beings, who are almost unique in having the ability to learn from
the experience of others, are also remarkable for their apparent
disinclination to do so.
Douglas Adams

More information about the Rubygems-developers mailing list