At Fri, 13 Aug 2004 21:23:00 +0900,
Dave Thomas wrote:
> 
> On Aug 13, 2004, at 7:15, David Ross wrote:
> 
> > No motive. I for one don't want to run RubyGems as
> > root on a server which has several customers with
> > credit card numbers, and then get rooted just because
> > someone releases a really bad gem.

I hope you wouldn't "just install" a gem "for fun" on such a box. Such
a box should only contain software that is really needed for it to do
its job and nothing more. And for all the software that you install on
it, it would be wise to take software that has proven itself to be
good, stable and secure. If you can get that software 'signed', from a
trusted source then i think it's reasonable to assume that it's
'secure', if it has been in use for some time and there are no known
security problems with it.

If you just go out and install the 5-minutes-ago-released new gem that
seems to be cool, although you actually haven't tried it on a test box
first for some time, then yeah, you might run into some serious
problems some day...

(afaik, RubyGems won't act on its own and install gems; so even if
someone releases a malicious gem, then you still have to manually
install it before it can be a security threat, right?)

> Of course, but you'd be irresponsible to run _any_ open source 
> installed as root on such a box. I hope that you don't.

Hmm... it might also be irresponsible to run closed source code on it
that might contain backdoors...

> All Gems does is remove one step from downloading the library and 
> saying "ruby install.rb" Gems isn't anything to do with your worries. 
> The installation of open source software (any software) is inherently 
> dangerous, and there's ultimately no solution apart from community 
> vigilance.

I agree with that, gems just makes it easier to get the software.
People who will install gems just like that, would probably also
download the software just like that. Gems doesn't have any security
problems that weren't there already.

> I'm surprised by people here claiming to be concerned about security 
> who have their Ruby installation in /usr/local. If you are concerned 
> about root installs, RUBY SHOULD NOT BE IN A ROOT-ONLY WRITABLE 
> DIRECTORY. That's just common sense (and again is nothing to do with 
> Gems). Move your Ruby to a directory tree writable by you, and you'll 
> no longer need to be root to install any Ruby code: Gem, RPA, or random 
> download.

Yeah, a little bit of common sense would already help a lot. The more
important the box of course, the more security measures you should
take, and the more paranoid you should be.

Ruben