Sandboxing
Sandboxing
Posted Apr 11, 2019 23:36 UTC (Thu) by david.a.wheeler (subscriber, #72896)In reply to: A backdoor in a popular Ruby gem by NYKevin
Parent article: A backdoor in a popular Ruby gem
> No go. RubyGems has to protect itself against hostile projects. You cannot push this back onto those projects, because they are untrusted.
RubyGems currently completely and totally trusts all projects that send data to it. If a project says, "here is my package xyz version 1.2.3" then if the login is correct RubyGems says "sure" and redistributes it to everyone. That's obviously easy to implement, but it means there's no verification that the package actually *is* a compiled version as claimed.
The alternative mooted here is that RubyGems tells some service "please rebuild package xyz version 1.2.3 and send me its cryptographic hash". That external service would be something like CircleCI or TravisCI (something already designed to run externally-provided programs and produce results). If the returned hash is the same as the hash of the file provided, all is well, otherwise there's a problem that needs to be fixed. RubyGems could even provide the rebuilt file to help debug it.
It could be third parties instead of RubyGems itself, but that might create a big window of time where the correspondence was not checked.
Posted Apr 12, 2019 4:20 UTC (Fri)
by NYKevin (subscriber, #129325)
[Link] (1 responses)
I was not aware that TravisCI and friends made that guarantee. It sounds like it would be a difficult promise to keep.
Posted Apr 12, 2019 18:38 UTC (Fri)
by david.a.wheeler (subscriber, #72896)
[Link]
Sandboxing
Sandboxing