On 8/13/04 4:26 AM, "Alexander Kellett" <ruby-lists / lypanov.net> wrote:

> [ummm wish i could get send hooks to change my from addr]
> 
> anyone with a brain could get malicious code into
> any package available on the planet, be it debian
> or whatever. the fact that ruby is so dynamic only
> makes this problem worse. only thing that is
> really going to stop this is a correctly sandboxed
> installer which uses a non-root user to compile
> and run the unit tests.

You don't need to run as root, only if you want to install in a system-wide
repository.  Actually, RubyGems runs just great installed by a user, in
their own directories, with no r00t access at all.  Its all a question of
what the target user/developer wants to do.

> 
> even this isn't enough. but its closer at least.
> 
> root attacks are the killer and neither rpa-base
> nor gem's provide easy to use non-root installs
> at the moment.

gem install --install-dir ~/mygems fxruby

That's not too arduous ;)

> 
> ignoring the problem and hoping people will just
> forgot it was ever brought up ain't gonna help.
> 
> Alex

I don't advocate ignoring it.  I advocate in NOT giving a false sense of
security.  

> 
> On Fri, Aug 13, 2004 at 01:44:33PM +0900, Richard Kilmer wrote:
>> OK...so you want to bet I can write malicious Ruby code that a QA person
>> would not find?  I mean really, QA is fine, 'this appears to work well...no
>> obvious flaws' but it is NOT security.  It quite silly to equate the two.
>> 
>> That is, unless the QA team wants to _legally guarantee_ the code they are
>> approving...now that is quite another matter entirely ;-)
>> 
>> -rich
> 
>