At 11:48 AM 1/7/2002 +0900, Rich Kilmer wrote:
>Right and the way to address this is to have a public/private encryption key
>pair that signs the stored RubyGem/code a la Java Jar signing.

I'm not entirely sure that this would be sufficient.

No, that's not true. I'm entirely sure it's not sufficient. I can think of 
many, many ways to crock this. You're counting on the remote keyserver 
being trustworthy (they aren't), DNS being trustworthy (it isn't), that the 
signing entity is trustworthy (they aren't), and that the source you're 
fetching is safe to use sight unseen (it isn't).

Someone could poison your DNS cache. The remote repository can be 
compromised.   The keyserver can be compromised. A proxy in the middle of 
the transaction can be compromised or poisoned. The person providing the 
code can be less trustworthy than you think they are.

Yeah, these are all potential issues when installing any chunk of code from 
the net, but at least with a manual install you have a chance to check 
things out even if you choose not to. With automagic loading, you take all 
the potential checks out of the process. (FWIW, I considered this and 
discarded it for parrot. It's the sort of thing I'd not allow to be 
installed on a system I administered)

> > -----Original Message-----
> > From: Dan Sugalski [mailto:dan / sidhe.org]
> > Sent: Sunday, January 06, 2002 9:38 PM
> > To: ruby-talk ML
> > Subject: [ruby-talk:30401] Re: snippet exchange (was: Re: Re: chomp for
> > arrays?)
> >
> >
> > At 06:31 AM 1/7/2002 +0900, Mark Hahn wrote:
> >
> > >A daydream of mine is a "super-require" that if the file was not
> > found, the
> > >loader would go to a central place on the web and load it (sort of like
> > >marimba).  I don't tend to use other people's modules just
> > because I'm too
> > >lazy to find and install them.
> >
> > That's a rather dangerous thing to implement. There are an awful lot of
> > security issues there...


					Dan

--------------------------------------"it's like this"-------------------
Dan Sugalski                          even samurai
dan / sidhe.org                         have teddy bears and even
                                      teddy bears get drunk