Maybe we could investigate how the Maven folks handle this problem. I know they had to address similar security concerns related to their central repository, and have had a few years (and a major redesign in Maven2) to think about the problem.
-- Chad On 1/17/07, Tom Copeland <[EMAIL PROTECTED]> wrote: > > > Hm, but that gem wouldn't be deployed on the RubyForge gem index > > > unless it was uploaded to the rails project on RubyForge... so only > > > folks who deliberately downloaded the gem from your project > > area would > > > get p0wnd... > > > > That's a good start, but it doesn't address the situation > > where one of the mirrors or RubyForge itself is compromised, > > and a malicious gem is forcibly inserted into the rotation. > > Oh, yup, you're quite right there. I agree with your comments about gem > signing and such too... but I'm not sure how to help make that happen... > > Yours, > > Tom > > _______________________________________________ > Rubygems-developers mailing list > Rubygems-developers@rubyforge.org > http://rubyforge.org/mailman/listinfo/rubygems-developers > _______________________________________________ Rubygems-developers mailing list Rubygems-developers@rubyforge.org http://rubyforge.org/mailman/listinfo/rubygems-developers
