[romaaeterna]

Ruby gem hijacking also happened to Strong_password a few weeks ago.

https://news.ycombinator.com/item?id=20377136

This is major new line of attack, and web app infrastructure is critically weak to it. We rejected distro-controlled package management in favor of pip and gem and npm years ago (for good reasons), but as this sort of attack becomes much more common (which it will), we might find ourselves missing the days of strong central control.

Rubygems should have acted on the Strong_password news, but missed the opportunity. I hope that they can get their act together now that they are lucky enough to have a second chance before this style of attack really explodes.

[raesene9]

With regards to Rubygems, the challenge is likely to be where they get the resources for additional security measures.

All the major language repo's are free at point of use, and I don't get the impression the maintainers are exactly rolling in money, so it doesn't seem likely that they can easily ramp up on that front.

[majewsky]

> We rejected distro-controlled package management in favor of pip and gem and npm years ago (for good reasons)

While I'm generally a fan of distribution-provided packages, they would not have helped in this case. Distributions simply lack the manpower to audit all upstream releases for these kinds of issues.

[hyperpape]

This gem was published six days before it was found, which means that the effectiveness of the attack seems to have relied on it being picked up by people doing automatic upgrades. Wouldn't a distro help because it fundamentally is less predictable about when it takes a new version?