On Fri, 13 Aug 2004, David Ross wrote:

> No motive. I for one don't want to run RubyGems as
> root on a server which has several customers with
> credit card numbers, and then get rooted just because
> someone releases a really bad gem.

That's fine; just don't single RubyGems out as any more or less
dangerous than anything else you might run as root (or non-root, for
that matter, if you value your home directory) without having examined
every line of code.  I fully understand that there's no point saying
this to you; I really just want to chime in with Dave and others in
the hope of decreasing the chance that anyone will take your points at
face value.  

> Also, there is limited access to who has a commit bit
> to the ruby-lang cvs. We are talking about RubyForge
> here. The tought did not occur to me until someone
> mentioned how gems automatically get put in the
> repository automatically, this is a bad thing.

You've been talking on IRC for weeks or months about how uniquely
insecure you think RubyGems is -- I should say, asserting that it's
insecure, rather than really talking about it -- and have never
connected it specifically with the phenomenon of gems being put in the
repository automatically.  The whole thing seems to be a bit of an
idee fixe for you, without technical basis and certainly not having
originated during this thread.

> ---------------------------------
> --David Ross
> --Phone: 865.539.3798
> --Email: drossruby [at] yahoo.com

Security tip: you might want to check the From header too.


David

-- 
David A. Black
dblack / wobblini.net