Gemcutter as a RubyGem source scares me
Update: rufo clarifies that rubyforge-hosted gems can’t be hijacked. Excellent! I apologize that I missed that in the FAQ. I’m still concerned about http://gems.github.com-hosted gems, though (this was actually the case that brought me to write this in the first place).
Update II: The answer is gems.github.com gems can be hijacked. But that was true before that you could use rubyforge to hijack them, so the move towards Gemcutter isn’t making things any worse than they already were. It makes me think that having multiple sources is generally just a bad idea and if you want to be sure you’re getting what you think you’re getting always use the —source parameter.
Over the past year there has been a pretty strong move in the Ruby community towards hosting gems on http://gems.github.com. Now that that’s defunct the masses seem to be headed squarely for Gemcutter.org. Before I get into what exactly scares me, let me first say that Gemcutter is incredibly slick and a fantastic service to the Ruby community. The fact that you can push up a gem with a single command is nothing short of everyways awesome.
But I’m scared. See the second part of getting setup with Gemcutter as described on the site is to run the cutely named ‘gem tumble’. This will unshift http://gemcutter.org onto your RubyGems source list, making it the highest priority location to resolve a gem name when you run ‘gem install <gem_name>’. That seemed all well and good to me until I realized the consequences. See, as far as I can tell, anyone with an email address can push up whatever gem as whatever name as long as it has not already been pushed to Gemcutter. Now suddenly typing ‘gem install <trusted_gem>’ doesn’t seem so safe. If the creators of <trusted_gem> haven’t yet pushed it to Gemcutter, some nefarious soul could have and suddenly they just executed arbitrary code on my machine, likely as root since the reality is most of the time I’m running ‘sudo gem install’.
Am I missing something here? I’d love to find out I am. Otherwise I’d seriously consider removing http://gemcutter.org as a source from RubyGems on your machine.
