2009/4/1 aslak hellesoy <[email protected]>:
>
>
> On Wed, Apr 1, 2009 at 9:32 AM, Daniel Berger <[email protected]> wrote:
>>
>> Chad Woolley wrote:
>>>
>>> On Tue, Mar 31, 2009 at 8:10 PM, Eric Hodel <[email protected]> wrote:
>>>>
>>>> It seems that there was a bogus github gem floating around,
>>>> mojombo-grit.
>>>> It was adding directories to the file list... I'm investigating it.
>>>
>>> Hmm:
>>> http://github.com/mojombo/grit/commit/4ac4acab7fd9c7fd4c0e0f4ff5794b0347baecde
>>>
>>> What I'm wondering is - how easy would it be to do this maliciously
>>> and with greater effect, if this minor snafu caused problems.
>>>
>>> How's that circle of trust thing coming?
>>
>> If it comes to it we'll start requiring gem signatures. :)
>
> Most other packaging systems use MD5 signatures by default (apt-get, pear,
> maven etc)
> Why isn't Rubygems doing it?
>
You're talking about packaged files integrity while I think Daniel and
Ryan are talking about package signatures:
l...@keore (D:\Users\Luis)
$ gem help install
-P, --trust-policy POLICY Specify gem trust policy
gem install mongrel -P HighSecurity
==
But first you need to install the certificates.
--
Luis Lavena
AREA 17
-
Perfection in design is achieved not when there is nothing more to add,
but rather when there is nothing more to take away.
Antoine de Saint-Exupéry
_______________________________________________
Rubygems-developers mailing list
[email protected]
http://rubyforge.org/mailman/listinfo/rubygems-developers
