On 11 Sep 2010, at 05:53, Urabe Shyouhei wrote:
Excuse me, but (at least) I'm talking about a security issue.
>=20
> As far as we distribute a lib its security issue shall be reported to =
us, and
> will be handed in a carefully built secure channel to a reporter of =
it.  Open
> collaboration tools such as rubygems.org are not suited for this =
purpose.
> Delegation wouldn't help this area.  That's the headache I'm talking =
about;
> it's not a technical hurdle but a matter of communication cost (in a
> cryptographically strict way).

If you locally patch gems and do not communicate those patches upstream =
in a timely manner, and people can fetch the insecure code upstream =
still, then you have *not* taken the responsible actions. I don't see =
this as a valid excuse at all, in fact, I see it as further malpractice. =
Am I just misunderstanding you? Are you suggesting you're simply =
incapable of communicating with upstream authors on private channels? =
This seems like a problem that needs solving immediately, not skirting =
around and maintaining by way of bad process.=