> > Hm, but that gem wouldn't be deployed on the RubyForge gem index > > unless it was uploaded to the rails project on RubyForge... so only > > folks who deliberately downloaded the gem from your project > area would > > get p0wnd... > > That's a good start, but it doesn't address the situation > where one of the mirrors or RubyForge itself is compromised, > and a malicious gem is forcibly inserted into the rotation.
Oh, yup, you're quite right there. I agree with your comments about gem signing and such too... but I'm not sure how to help make that happen... Yours, Tom _______________________________________________ Rubygems-developers mailing list Rubygems-developers@rubyforge.org http://rubyforge.org/mailman/listinfo/rubygems-developers
