No motive. I for one don't want to run RubyGems as
root on a server which has several customers with
credit card numbers, and then get rooted just because
someone releases a really bad gem.

Also, there is limited access to who has a commit bit
to the ruby-lang cvs. We are talking about RubyForge
here. The tought did not occur to me until someone
mentioned how gems automatically get put in the
repository automatically, this is a bad thing.


---------------------------------
--David Ross
--Phone: 865.539.3798
--Email: drossruby [at] yahoo.com
---------------------------------

> 
> On Aug 12, 2004, at 23:31, David Ross wrote:
> 
> > Heh, I didn't say I was going to do it. I was
> thinking
> > what happened with ruby-lang.org being hacked.
> What
> > really stops someone from violently attacking more
> > than just one computer? :)
> 
> There are a fair number of people with commit access
> to ruby-lang. I, 
> for example, could add a trojan to the latest
> version of RDoc that 
> would rewrite the source code to every Ruby program
> it documented.
> 
> When was the last time you studied all the source
> code for RDoc to 
> ensure it is safe?
> 
> If you want safety, then you probably shouldn't be
> downloading stuff 
> off the web and running it, at least until it has
> been verified by a 
> professional team of QA folks. Microsoft software,
> for example, must be 
> secure for that reason.
> 
> OpenSource software has operated this way for years.
> Taking that fact 
> and labeling RubyGems as flawed because of it is
> remarkably 
> irresponsible. What were your motives?
> 
> 
> 
> Dave
> 
> 
> 



		
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail