On Fri, 13 Aug 2004 13:37:45 +0900, David Ross <drossruby / yahoo.com> wrote:
> hmm. Okay, not design flaw, security flaw. I always
> seem to use wrong words. Since I keep calling it a
> security problem, it shouldn't be called a design
> problem.
> 
> People who download shouldn't have to be cautious as
> to look at the code. It should be up to someone else.
> Similar to what debian package QA. --David Ross
> 
> 

So, this is the equivalent of having two release streams:  the
"normal" one, which the open source community generally follows and
then the special ones like Debian (and now RPA).  That makes sense. 
That's the way the open source community has done it for years. 
Where's the huge security flaw?


> 
> 
> --- Chad Fowler <chadfowler / gmail.com> wrote:
> 
> > On Fri, 13 Aug 2004 12:50:50 +0900, David Ross
> > <drossruby / yahoo.com> wrote:
> > > Heres food for thought..
> > >
> > > What stops someone who has a registered project on
> > > RubyForge to abuse Gems? A constructive criticism
> > in
> > > major design flaw. This is why a central
> > repository
> > > where there is a QA team is good. They can look at
> > > code.
> > >
> >
> > This is not a design flaw.  It's an add-on feature
> > for RubyForge.  It
> > has nothing to do with design of RubyGems or
> > RubyForge.  RubyGems'
> > no-controlled approach is very reminiscent of, say,
> > the way RAA works.
> >  Or the Web, for that matter.  If you want to
> > inspect a gem before you
> > install it, it's very much like any other packaging
> > system:  download
> > the gem, unpack it, look through it, see that it's
> > OK, install it.
> > The remote repository is a convenience but not at
> > all a necessity.
> > For the vast majority, it makes things easier.  For
> > the few that
> > aren't comfortable with it, you have an easy option
> > of not using
> > auto-installation.
> >
> > There's nothing stopping someone from putting a
> > QA'd, controlled
> > repository together with RubyGems.  Just not on my
> > priority list.
> > Anyone's free to do it if they feel it's valuable,
> > though.
> >
> > Chad
> >
> > > `rm -rf /` :)
> > >
> > > ---------------------------
> > > David Ross
> > > Phone: 865.539.3798
> > > Email: drossruby [at] yahoo.com
> > > ---------------------------
> > >
> > >
> > >
> > > --- James Britt <jamesUNDERBARb / neurogami.com>
> > wrote:
> > >
> > > > Richard Kilmer wrote:
> > > >
> > > > > Release the file like you would any file (in
> > the
> > > > Files tab).  RubyForge
> > > > > picks them up and puts them in the repo, and
> > they
> > > > are (within an hour for
> > > > > now) available for remote download.
> > > >
> > > >
> > > > Excellent!  Thanks.
> > > >
> > > >
> > > > James
> > > > >
> > > > > -rich
> > > > >
> > > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> > > __________________________________
> > > Do you Yahoo!?
> > > New and Improved Yahoo! Mail - Send 10MB messages!
> > > http://promotions.yahoo.com/new_mail
> > >
> > >
> >
> >
> 
> __________________________________
> Do you Yahoo!?
> New and Improved Yahoo! Mail - Send 10MB messages!
> http://promotions.yahoo.com/new_mail
> 
>