The call to action in this post is not strong enough - RubyGems and RubyGems.org are completely volunteer-run, open source projects. If you want to fix these problems, please get involved and stick around.
"Stop running code on gem install."<p>- this is a real issue. I've used rpm shell execution to modify sshd as well as other system components in order "install" additional software. <a href="http://web.archive.org/web/20090211040821/http://www.idle-hacking.com/2008/05/i-say-cap-you-say-rpm-i-cap-your-rpm/" rel="nofollow">http://web.archive.org/web/20090211040821/http://www.idle-ha...</a><p>as you can see from that archived post, it's very important to have trust of what you are installing. especially when you have to install with root permissions....<p>Seeing how many references exist to "sudo gem install blah"... this is very serious as it's a high reward if you're able to get your remote code executing with root privileges (assuming as most would not limit sudo access e.g.
user ALL=(ALL) ALL
)...
Even if 5% of the rubygems ecosystem contained malware, the biggest danger to most projects is the inclusion of gems that are sloppily maintained. Just because something is released as a gem does not mean it has good code quality or that good development practices were used to create it.<p>The default behavior of bundler is to grab the latest compatible gem version, and in many cases this breaks things bc of little or no QA on the part of some gem maintainers.<p>The top 10% of gems are well maintained but the rest should generally be avoided.
Worrying about code execution at install is silly. The whole point of installing a gem is to download code that you're going to execute.<p>So the whole gem (install code and runtime code) needs to be trusted, and should be verifiably signed by somebody you can trust.
Is it safe to install rails with something like 'gem install rails' right now? I'm totally new to Ruby and to the Rails framework, but I was going to start a side project with it this weekend (today). Any advice on how I can safely get setup while the community is figuring out how to cope with the intrusion?
Removing the ability to run code on gem install would be quite disruptive. I think that establishing a universal gem signing policy and/or some form of whitelist/blacklist strategy would be a better solution. Consumers need to be able to trust the installations of the tools they use. The same risks apply to any other installation process. Think of how we install RVM or Homebrew.
Sorry in advance for being off topic, but: I rely a lot on Clojure repos like clojars.org and I in addition to checking my few Rails and Sinatra apps in the last few days, I have become a little concerned about the same sort of thing happening with clojars, main mavin repos, etc.
This hyperbole is very silly! Weaknesses appear in everything when it becomes popular.<p>There needs to be something like the "app store" and I don't mean specifically apples' own.<p>But we need some of the big corps using ROR to step forward and provide complete support for this type of project.