|
|
|
|
|
|
by Xylakant
4880 days ago
|
|
|
Ok, serious question: In which ways is rubygems less safe than .deb packages, .rpms, portfiles or ebuilds, python eggs, jars or composer files? All of those are mechanisms to distribute and deploy code. All of those suffer from the same basic vulnerability: They ship code that gets executed. If that code gets compromised, you have a viable attack. Debian saw its developer repositories compromised at least in 2006 [1] and back then, we had the same problem: In the beginning nobody was sure whether the package repositories had been attacked. There is one critical difference between OS package repos and the programming language repos: For an OS package repo, signing is mandatory. Programming language repos allow that, but don't enforce it. Python is a little ahead here, but this is nothing that can't be fixed. I actually see that gem signing will be mandatory in the foreseeable future. [1] http://www.debian-administration.org/articles/417 |
|
|