[Rubygems-developers] gem problem

Berger, Daniel Daniel.Berger at qwest.com
Wed Apr 1 17:42:28 EDT 2009


 

> -----Original Message-----
> From: rubygems-developers-bounces at rubyforge.org 
> [mailto:rubygems-developers-bounces at rubyforge.org] On Behalf 
> Of Eric Hodel
> Sent: Wednesday, April 01, 2009 2:50 PM
> To: rubygems-developers at rubyforge.org
> Subject: Re: [Rubygems-developers] gem problem
> 
> 
> On Mar 31, 2009, at 22:13, Chad Woolley wrote:
> 
> > On Tue, Mar 31, 2009 at 8:10 PM, Eric Hodel <drbrain at segment7.net>
> > wrote:
> >> It seems that there was a bogus github gem floating 
> around, mojombo- 
> >> grit.
> >>  It was adding directories to the file list...  I'm 
> investigating it.
> >
> > Hmm:  
> > 
> http://github.com/mojombo/grit/commit/4ac4acab7fd9c7fd4c0e0f4ff5794b03
> > 47baecde
> >
> > What I'm wondering is - how easy would it be to do this maliciously 
> > and with greater effect, if this minor snafu caused problems.
> 
> No matter how much I try to idiot proof things...
> 
> One of the bigger problems in packaging gems is people who 
> use glob or regexp to find files instead of a manifest file.

We could consider mandating that any files in the gem must also exist in a manifest file and/or capping the file limit. Just a thought.

Dan


More information about the Rubygems-developers mailing list