> > The one thing I'd like to be able to do is run a single command to say > 'does this bundle have any known security updates?' This would open up > the possibility to automate checking all the apps I'm responsible for, > not to mention things like an aggregated security mailing list, etc, > etc. >
That's a really good idea but I don't know how you could carry it out without giving people a false sense of security. Unfortunately the gem ecosystem is a vast wilderness and any gem could contain exploits. Many gems monkeypatch various parts of Rails. Many gems latch on the the call chains. Many gems are forks of long abandoned projects only accessible via a git url. How would bundler know about every possible exploit in every gem? How would anybody know? Maybe if you stuck to a known set of gems which went through some sort of an audit or quality assurance program it might work. -- You received this message because you are subscribed to the Google Groups "Ruby or Rails Oceania" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/rails-oceania?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
