[Rubygems-developers] gem problem

Luis Lavena luislavena at gmail.com
Wed Apr 1 11:59:27 EDT 2009

2009/4/1 aslak hellesoy <aslak.hellesoy at gmail.com>:
> On Wed, Apr 1, 2009 at 9:32 AM, Daniel Berger <djberg96 at gmail.com> wrote:
>> Chad Woolley wrote:
>>> On Tue, Mar 31, 2009 at 8:10 PM, Eric Hodel <drbrain at segment7.net> wrote:
>>>> It seems that there was a bogus github gem floating around,
>>>> mojombo-grit.
>>>>  It was adding directories to the file list...  I'm investigating it.
>>> Hmm:
>>>  http://github.com/mojombo/grit/commit/4ac4acab7fd9c7fd4c0e0f4ff5794b0347baecde
>>> What I'm wondering is - how easy would it be to do this maliciously
>>> and with greater effect, if this minor snafu caused problems.
>>> How's that circle of trust thing coming?
>> If it comes to it we'll start requiring gem signatures. :)
> Most other packaging systems use MD5 signatures by default (apt-get, pear,
> maven etc)
> Why isn't Rubygems doing it?

You're talking about packaged files integrity while I think Daniel and
Ryan are talking about package signatures:

Luis at KEORE (D:\Users\Luis)
$ gem help install

    -P, --trust-policy POLICY        Specify gem trust policy

gem install mongrel -P HighSecurity


But first you need to install the certificates.

Luis Lavena
Perfection in design is achieved not when there is nothing more to add,
but rather when there is nothing more to take away.
Antoine de Saint-Exupéry

More information about the Rubygems-developers mailing list