[Rubygems-developers] gem problem

aslak hellesoy aslak.hellesoy at gmail.com
Wed Apr 1 10:25:57 EDT 2009


On Wed, Apr 1, 2009 at 9:32 AM, Daniel Berger <djberg96 at gmail.com> wrote:

> Chad Woolley wrote:
>
>> On Tue, Mar 31, 2009 at 8:10 PM, Eric Hodel <drbrain at segment7.net> wrote:
>>
>>> It seems that there was a bogus github gem floating around, mojombo-grit.
>>>  It was adding directories to the file list...  I'm investigating it.
>>>
>>
>> Hmm:
>> http://github.com/mojombo/grit/commit/4ac4acab7fd9c7fd4c0e0f4ff5794b0347baecde
>>
>> What I'm wondering is - how easy would it be to do this maliciously
>> and with greater effect, if this minor snafu caused problems.
>>
>> How's that circle of trust thing coming?
>>
>
> If it comes to it we'll start requiring gem signatures. :)
>

Most other packaging systems use MD5 signatures by default (apt-get, pear,
maven etc)
Why isn't Rubygems doing it?

Aslak


>
> Dan
>
>
> _______________________________________________
> Rubygems-developers mailing list
> Rubygems-developers at rubyforge.org
> http://rubyforge.org/mailman/listinfo/rubygems-developers
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rubyforge.org/pipermail/rubygems-developers/attachments/20090401/9b37979f/attachment-0001.html>


More information about the Rubygems-developers mailing list