On Tue, Nov 25, 2008 at 2:34 PM, Berger, Daniel <[EMAIL PROTECTED]> wrote: >> -----Original Message----- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On Behalf >> Of Charlie Savage >> Sent: Tuesday, November 25, 2008 9:29 AM >> To: rubygems-developers@rubyforge.org >> Subject: Re: [Rubygems-developers] Executing code after installing gem >> >> > RubyGems is not designed for arbitrary code execution, >> which will be a >> > security concern. >> >> Except it already does by letting a developer specify a >> Rakefile in spec.extensions. That's how I hacked around >> RubyGems to correctly install dependent dlls into the lib directory. >> >> Not to mention the fact that once I have my gem installed, it >> can pretty much do what it wants. > > Interesting. > > Maybe we should provide a builtin hook for a post installation task on > the condition that the gem is signed? > > Just a thought. >
This was discussed previously in the list back in 2006/2007 and no positive value was gained at that time. Will be very helpful to lot of gems, but at the same time package maintainers from debian / ubuntu could object about it (which they already do). The thing is that due the given sudo power during gem installation, the build process runs as sudo, not as normal user, so the extconf.rb has all the power to do nasty things. I'm personally not fond to allow more than what we already do as side effect. -- Luis Lavena AREA 17 - Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. Douglas Adams _______________________________________________ Rubygems-developers mailing list Rubygems-developers@rubyforge.org http://rubyforge.org/mailman/listinfo/rubygems-developers
