On Thu, 31 Jan 2013 18:57:34 +0100
Jordi Massaguer Pla
Quoting Josef Reidinger
: On Thu, 31 Jan 2013 17:41:15 +0100 Cornelius Schumacher
wrote: On Thursday 31 January 2013 15:13:12 Stephan Kulow wrote:
Using bundler/gem just dropped from that list:
http://blog.newrelic.com/2013/01/30/new-relic-and-rubygems-security/
How is this related to the question how gems are packaged? In the end they are all coming from rubygems in any case.
Well, there is one big difference. We control it. So e.g. if OBS is extended to provide also difs for gems, you can review changes from last submit and review it. If you use directly rubygems.org, then you depend on external service, where is no guaranty and as last case show no review. Of course own gem server is different case, but there is other problems like that we must maintain it. It must be public so also we must secure it etc.
"must be public" ?? I do not see why.
Well, maybe my fault. I think that this disqualify solution that zypper can work with rubygems. Because in this case all customer should be able to download from rubygems org or from our gemserver. It is also valid for any solution that do not pack all required gems during build on internal server ( because OBS is in public network, so only IBS can do it ). Josef
Josef -- To unsubscribe, e-mail: opensuse-ruby+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-ruby+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse-ruby+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-ruby+owner@opensuse.org