On Aug 13, 2004, at 3:09, Mauricio FernáÏdez wrote:

> On Fri, Aug 13, 2004 at 04:17:06PM +0900, Jim Weirich wrote:
>> At least with RubyGems, the former attach scenarios is not available 
>> for
>> only gem code is run during the installation.  The attacker gets no
>> opportunity to run as root.
>
> IIRC both the extconf.rb and the Makefiles supplied with the gem will
> be run if the gem specifies it carries extensions, so there's some
> potential for abuse as root.

Absolutely, exactly the same as anything downloaded off the web, or off 
the RAA. That's why you download from places you trust, and read code 
if you're suspicious.  RPA, Gems, RAA, or random downloads: there is 
_no_ difference in security. As with all open source, security comes 
from folks reading and using code. I'm sure that not every line of code 
in the RPA offerings has been studied by a team of security experts, 
any more than code in the RAA or Gems has. And I, for one, am not 
worried by that. I look to the RPA to deliver libraries that have been 
verified to install and work seamlessly together: RPA is a layer on top 
of Gems. Gems provides the raw material, and RPA produced blessed 
combinations of versions that the RPA team has verified to work 
together.

I don't understand why the rpa folks had to reinvent the packaging 
wheel here: the service they offer is orthogonal to Gems, and could 
have used Gems as the distribution mechanism.


Cheers

Dave