> On Sep 8, 2022, at 1:47 AM, Carsten Bormann <[email protected]> wrote: > > On 2022-09-08, at 04:14, Paul Wouters via Datatracker <[email protected]> > wrote: >> >> ---------------------------------------------------------------------- >> DISCUSS: >> ---------------------------------------------------------------------- >> >> gem install cbor-diag >> >> I am concerned about adding install commands for "programs from the internet" >> within an RFC. If the rubygem for some reason becomes malicious, we cannot >> pull it from the RFC (even if we pull it from the datatracker link, it would >> still live on in copies of the RFC elsewhere and malicious people could point >> to copies of those original RFCs to point people to downlod the malicious >> rubygem. >> >> I would be okay with an iet.org download location of a ruby gem. > > “gem install” is the appropriate way to install rubygems software, not a > “location of a rubygem”. > > What you seem to be asking for is some indirection so we can swap out the > name of the gem in case cbor-diag becomes rogue. That does make some sense > to me, but we’d need to install that indirection somewhere in a place > maintained by the IETF. > > ➔ “Please consult https://www.ietf.org/software/cbor-diag for the way to > install this software”. > And that page would contain instructions including “gem install cbor-diag” > until that goes rogue. > > Can we get such a infrastructure of pages recommending software up and > running? Do we mire ourselves in process issues (who gets change control > etc.)? > > Data point from a quick search: > The RFCs that already suggest installing rubygems via a direct “gem install” > include RFC 8152, RFC 8610, RFC 9052. > > (In reality, I’d expect the rubygems organization to act more quickly on a > report of cbor-diag going rogue than the IETF would.) > > Grüße, Carsten
Paul: Are you satisfied with this explanation? Or, would you prefer the pointer to https://www.ietf.org/software/cbor-diag <https://www.ietf.org/software/cbor-diag> Russ
_______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
