Mailinglist Archive: opensuse-ruby (10 mails)

< Previous Next >
Re: [opensuse-ruby] The case against using RubyGems.org in production
  • From: Jordi Massaguer Pla <jmassaguerpla@xxxxxxx>
  • Date: Mon, 01 Jul 2013 14:05:10 +0200
  • Message-id: <51D17076.50508@suse.de>
On 07/01/2013 01:45 PM, Lukas Ocilka wrote:
On 07/01/2013 01:28 PM, Cornelius Schumacher wrote:
On Monday 01 July 2013 12:33:12 Stephan Kulow wrote:
You do "Review the code for treachery" too?

Sascha is right, that running the server is not the actual issue, but
it is a
necessary condition to be able to control what's being used by an app.
We do
look at what we are using, but of course we are not able to review every
single line of code for every version update. So, as Sascha also
already said,
relying on the reputation of upstream projects is also part of it. One
nice
side effect of channeling gems through an own server is that you have a
complete track of the code you are using as gems, so in case there is any
doubt about possibly compromised gems, it's possible to analyze that.

Webyast uses brakeman for periodical checking for possible
vulnerabilities and there are other tools out there. We could
incorporate brakeman into the build process of rubygem-* RPMs and forbid
using gems directly. Or we could monitor upstream projects in use. Still
not a bullet-proof way but might be better than nothing.


what you mean by "forbid using gems directly"?
what you mean by "monitor upstream projects"? Running brakeman on github
projects?

Bye
Lukas


--
To unsubscribe, e-mail: opensuse-ruby+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-ruby+owner@xxxxxxxxxxxx

< Previous Next >
List Navigation
Follow Ups