Bugs item #29236, was opened at 2011-05-30 13:54 You can respond by visiting: http://rubyforge.org/tracker/?func=detail&atid=575&aid=29236&group_id=126
Category: `gem install` command (extensions) Group: next Status: Open Resolution: None Priority: 3 Submitted By: David Chelimsky (dchelimsky) Assigned to: Nobody (None) Summary: native extension installation exposes a back door through which gems can be installed with no management Initial Comment: Per http://rubyforge.org/tracker/?group_id=126&atid=575&func=detail&aid=29229, spork's maintainer used ext/mkrf_conf.rb to install other gems (see https://github.com/timcharper/spork/blob/45675372a2143136705b2ea1b1aa32d420f1caf4/ext/mkrf_conf.rb). This resulted in rake-0.9.0 being installed but it was not reported by the `gem install` command, so we learned about it later. This has been addressed in the spork project, however other projects can still do this. I think this should either be prevented or it should be managed by Rubygems and reported in the output from the `gem install` command. ---------------------------------------------------------------------- Comment By: Steve Klabnik (steveklabnik) Date: 2011-05-30 14:38 Message: How would one be able to prevent or manage this? mkmf.rb is just a Ruby script, so if it contains a simple `gem install lolz`, it's gonna happen. ---------------------------------------------------------------------- You can respond by visiting: http://rubyforge.org/tracker/?func=detail&atid=575&aid=29236&group_id=126 _______________________________________________ Rubygems-developers mailing list http://rubyforge.org/projects/rubygems [email protected] http://rubyforge.org/mailman/listinfo/rubygems-developers
