------art_56722_2982866.1168790167142
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

So if I have a RubyForge account I can upload a modified gem, of, say,
Rails, with a backdoor, and unknowing ruby users will accidentally install
it and open a backdoor in production rails servers?

This sounds bad. VERY bad.

WTF?

SonOfLilit

On 1/14/07, Chris Carter <cdcarter / gmail.com> wrote:
>
> On 1/14/07, Eric Hodel <drbrain / segment7.net> wrote:
> > Somehow hoe-1.1.7 has become poisoned in the RubyGems index:
> >
> > $ sudo gem install hoe
> > Install required dependency zentest? [Yn]  ^CERROR:  Interrupted
> >
> > There is no gem by the name of 'zentest', and hoe will likely never
> > depend on 'ZenTest'.
> >
> > Until this is fixed you won't be able to install any Gems built with
> > hoe-1.1.7.
> >
> > --
> > Eric Hodel - drbrain / segment7.net - http://blog.segment7.net
> >
> > I LIT YOUR GEM ON FIRE!
> >
> >
> >
> I want to apologize to the group on this one.  It was cause my my
> utter incomptence, and I know I really screwed up here,  I was testing
> adding dependencies, I thought I had it, and In a rush, I added the
> bad Hoe gem to rubyforge under a different name, which, I did wrong,
> and I shouldn't have done in the first place.  After a while I
> realized this could cause problems, so I deleted it, and checked, and
> the issue wasn't affecting my machine yet, so I assumed I had caught
> it before gems propogated, which I had not.  I know this was a big
> fu@king mistake, I know I should have handled it better than just
> deleting the gem.  I am very sorry, and hope that it gets resolved
> soon, so people are no longer inconvenienced.  If I can do anything to
> help this mess, please contact me.  I am sorry to you Eric, and to
> this community.
>
> --
> Chris Carter
> concentrationstudios.com
> brynmawrcs.com
>
>

------art_56722_2982866.1168790167142--