[Rubygems-developers] gem problem

Luis Lavena luislavena at gmail.com
Wed Apr 1 11:59:27 EDT 2009


2009/4/1 aslak hellesoy <aslak.hellesoy at gmail.com>:
>
>
> On Wed, Apr 1, 2009 at 9:32 AM, Daniel Berger <djberg96 at gmail.com> wrote:
>>
>> Chad Woolley wrote:
>>>
>>> On Tue, Mar 31, 2009 at 8:10 PM, Eric Hodel <drbrain at segment7.net> wrote:
>>>>
>>>> It seems that there was a bogus github gem floating around,
>>>> mojombo-grit.
>>>>  It was adding directories to the file list...  I'm investigating it.
>>>
>>> Hmm:
>>>  http://github.com/mojombo/grit/commit/4ac4acab7fd9c7fd4c0e0f4ff5794b0347baecde
>>>
>>> What I'm wondering is - how easy would it be to do this maliciously
>>> and with greater effect, if this minor snafu caused problems.
>>>
>>> How's that circle of trust thing coming?
>>
>> If it comes to it we'll start requiring gem signatures. :)
>
> Most other packaging systems use MD5 signatures by default (apt-get, pear,
> maven etc)
> Why isn't Rubygems doing it?
>

You're talking about packaged files integrity while I think Daniel and
Ryan are talking about package signatures:

Luis at KEORE (D:\Users\Luis)
$ gem help install

    -P, --trust-policy POLICY        Specify gem trust policy


gem install mongrel -P HighSecurity

==

But first you need to install the certificates.

-- 
Luis Lavena
AREA 17
-
Perfection in design is achieved not when there is nothing more to add,
but rather when there is nothing more to take away.
Antoine de Saint-Exupéry


More information about the Rubygems-developers mailing list