[Rubygems-developers] gem problem

Luis Lavena luislavena at gmail.com
Wed Apr 1 08:15:44 EDT 2009


On Wed, Apr 1, 2009 at 7:33 AM, James Tucker <jftucker at gmail.com> wrote:
>
> On 1 Apr 2009, at 06:13, Chad Woolley wrote:
>
>> On Tue, Mar 31, 2009 at 8:10 PM, Eric Hodel <drbrain at segment7.net> wrote:
>>>
>>> It seems that there was a bogus github gem floating around, mojombo-grit.
>>>  It was adding directories to the file list...  I'm investigating it.
>>
>> Hmm:
>>  http://github.com/mojombo/grit/commit/4ac4acab7fd9c7fd4c0e0f4ff5794b0347baecde
>>
>> What I'm wondering is - how easy would it be to do this maliciously
>> and with greater effect, if this minor snafu caused problems.
>
> Create a github user called ruby, now you can easily replace any of the
> ruby- projects with new counterparts from the github gem server, for a great
> many users.
>
> 1 of many
>

Well, that has already been blocked by GitHub already: ruby, net,
win32, and others I believe.

Anyhow, gems should be tested before making available to the indexer,
so that's something GitHub should be poked about.
-- 
Luis Lavena
AREA 17
-
Perfection in design is achieved not when there is nothing more to add,
but rather when there is nothing more to take away.
Antoine de Saint-Exupéry


More information about the Rubygems-developers mailing list