* Tom Copeland ([EMAIL PROTECTED]) wrote: > On Tue, 2007-01-16 at 23:05 -0500, Paul Duncan wrote: > > if I > > wanted to install a trojan on thousands of peoples' machines, all I'd > > need to do would be to build a malicious gem (see below), called > > "rails-2.0" and upload it to my gem directory, then sit and wait. > > Hm, but that gem wouldn't be deployed on the RubyForge gem index unless > it was uploaded to the rails project on RubyForge... so only folks who > deliberately downloaded the gem from your project area would get > p0wnd...
That's a good start, but it doesn't address the situation where one of the mirrors or RubyForge itself is compromised, and a malicious gem is forcibly inserted into the rotation. > Yours, > > Tom -- Paul Duncan <[EMAIL PROTECTED]> OpenPGP Key ID: 0x82C29562 http://www.pablotron.org/ http://www.paulduncan.org/
signature.asc
Description: Digital signature
_______________________________________________ Rubygems-developers mailing list Rubygems-developers@rubyforge.org http://rubyforge.org/mailman/listinfo/rubygems-developers
