On Mon, 2007-01-15 at 21:42 +0900, Stephan Mueller wrote:
> * Tom Copeland <tom / infoether.com> [15.01.2007]:
> 
> > On Mon, 2007-01-15 at 19:59 +0900, Giles Bowkett wrote:
> > > If the unit tests Ryan mentioned were automatically triggered by
> > > uploading a gem, couldn't that operate as a gate preventing this sort
> > > of thing?
> > 
> > That's an interesting idea.  We do run some tests on the gems before
> > deploying them, and we're adding more to catch the situation that
> > happened Saturday night.  But perhaps we can add more from the gem unit
> > test suite itself.
> 
> executing code in the uploaded gems (if this is the case here - didn't
> follow the thread all the time) might be dangerous itself. An attacker
> could place some evil code(TM) in the unit tests and bork the rubyforge
> server.

Yup.  Right now we parse the gem file itself, so that shouldn't happen.
But if we actually execute that code, we might want to do it in a
vserver or some such.

Yours.

Tom