[Rubygems-developers] gem problem
luislavena at gmail.com
Wed Apr 1 11:59:27 EDT 2009
2009/4/1 aslak hellesoy <aslak.hellesoy at gmail.com>:
> On Wed, Apr 1, 2009 at 9:32 AM, Daniel Berger <djberg96 at gmail.com> wrote:
>> Chad Woolley wrote:
>>> On Tue, Mar 31, 2009 at 8:10 PM, Eric Hodel <drbrain at segment7.net> wrote:
>>>> It seems that there was a bogus github gem floating around,
>>>> It was adding directories to the file list... I'm investigating it.
>>> What I'm wondering is - how easy would it be to do this maliciously
>>> and with greater effect, if this minor snafu caused problems.
>>> How's that circle of trust thing coming?
>> If it comes to it we'll start requiring gem signatures. :)
> Most other packaging systems use MD5 signatures by default (apt-get, pear,
> maven etc)
> Why isn't Rubygems doing it?
You're talking about packaged files integrity while I think Daniel and
Ryan are talking about package signatures:
Luis at KEORE (D:\Users\Luis)
$ gem help install
-P, --trust-policy POLICY Specify gem trust policy
gem install mongrel -P HighSecurity
But first you need to install the certificates.
Perfection in design is achieved not when there is nothing more to add,
but rather when there is nothing more to take away.
Antoine de Saint-Exupéry
More information about the Rubygems-developers