IP logs or STFU
It is very possible that something Really Bad™ has already happened, and we don't know about it. If it were me, I wouldn't let it out that I had essentially an unlimited backdoor to every system that installs gems.
When rubygems.org requires signed gems by developers whose keys have been put into the approved keyring, and denying access to everyone else. Until then, nobody will bother.
Debian and Ubuntu solve this problem by having an archive signing key that is regularly rolled over and requires multiple people to re-assemble. The entire archive is cryptographically signed by this archive signing…
Why aren't gems protected by a trust chain all the way up like Debian does? Gems aren't even required to be cryptographically signed by the developer and from what I can tell are just thrown over http without any…
IP logs or STFU
It is very possible that something Really Bad™ has already happened, and we don't know about it. If it were me, I wouldn't let it out that I had essentially an unlimited backdoor to every system that installs gems.
When rubygems.org requires signed gems by developers whose keys have been put into the approved keyring, and denying access to everyone else. Until then, nobody will bother.
Debian and Ubuntu solve this problem by having an archive signing key that is regularly rolled over and requires multiple people to re-assemble. The entire archive is cryptographically signed by this archive signing…
Why aren't gems protected by a trust chain all the way up like Debian does? Gems aren't even required to be cryptographically signed by the developer and from what I can tell are just thrown over http without any…