David Ross wrote:
> Joe PeelHacker decides he wants to screw over the ruby
> community. So, he gets a handful of http proxies, and
> uses a proxy chain to anonymously create a new
> project, create files, and create a gem.
> 
> Okay, right now he has accomplished pretty much
> everything he needs to do to start attacking. He
> releases a gem. It gets copied over without being
> looked at by a QA team. Ok, fine.

[... attack scenario elided ...]

A question about your scenario that wasn't clear to me:  Was the attack 
implemented the install code run as the root user?  Or was it 
implemented in the application code run as a normal user?

Both attack scenarios are available to tarballs available on RubyForge 
today, so this is a situation that is real today.  It has little to do 
with RubyGems.

At least with RubyGems, the former attach scenarios is not available for 
only gem code is run during the installation.  The attacker gets no 
opportunity to run as root.

-- 
-- Jim Weirich    jim / weirichhouse.org     http://onestepback.org
-----------------------------------------------------------------
"Beware of bugs in the above code; I have only proved it correct,
not tried it." -- Donald Knuth (in a memo to Peter van Emde Boas)