On 2022-09-08, at 04:14, Paul Wouters via Datatracker <
[email protected]> wrote:
----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------
gem install cbor-diag
I am concerned about adding install commands for "programs from the internet"
within an RFC. If the rubygem for some reason becomes malicious, we cannot
pull it from the RFC (even if we pull it from the datatracker link, it would
still live on in copies of the RFC elsewhere and malicious people could point
to copies of those original RFCs to point people to downlod the malicious rubygem.
I would be okay with an iet.org download location of a ruby gem.
“gem install” is the appropriate way to install rubygems software, not a “location of a rubygem”.
What you seem to be asking for is some indirection so we can swap out the name of the gem in case cbor-diag becomes rogue. That does make some sense to me, but we’d need to install that indirection somewhere in a place maintained by the IETF.
➔ “Please consult
https://www.ietf.org/software/cbor-diag for the way to install this software”.
And that page would contain instructions including “gem install cbor-diag” until that goes rogue.
Can we get such a infrastructure of pages recommending software up and running? Do we mire ourselves in process issues (who gets change control etc.)?
Data point from a quick search:
The RFCs that already suggest installing rubygems via a direct “gem install” include RFC 8152, RFC 8610, RFC 9052.
(In reality, I’d expect the rubygems organization to act more quickly on a report of cbor-diag going rogue than the IETF would.)
Grüße, Carsten
