On 2022-09-08, at 04:14, Paul Wouters via Datatracker <[email protected]> wrote: > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > gem install cbor-diag > > I am concerned about adding install commands for "programs from the internet" > within an RFC. If the rubygem for some reason becomes malicious, we cannot > pull it from the RFC (even if we pull it from the datatracker link, it would > still live on in copies of the RFC elsewhere and malicious people could point > to copies of those original RFCs to point people to downlod the malicious > rubygem. > > I would be okay with an iet.org download location of a ruby gem.
“gem install” is the appropriate way to install rubygems software, not a “location of a rubygem”. What you seem to be asking for is some indirection so we can swap out the name of the gem in case cbor-diag becomes rogue. That does make some sense to me, but we’d need to install that indirection somewhere in a place maintained by the IETF. ➔ “Please consult https://www.ietf.org/software/cbor-diag for the way to install this software”. And that page would contain instructions including “gem install cbor-diag” until that goes rogue. Can we get such a infrastructure of pages recommending software up and running? Do we mire ourselves in process issues (who gets change control etc.)? Data point from a quick search: The RFCs that already suggest installing rubygems via a direct “gem install” include RFC 8152, RFC 8610, RFC 9052. (In reality, I’d expect the rubygems organization to act more quickly on a report of cbor-diag going rogue than the IETF would.) Grüße, Carsten _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
