Package: ruby Version: 1:2.1.5.1 Severity: wishlist Tags: security
Hi. AFAIU, the gems integration into ruby allows one (e.g. in principle also other packages) to download/install software which doesn't come vi the Debian Archives (i.e. I'm not talking about properly packaged "gems", as e.g. ruby-xmlparser). Correct me if I'm wrong.... =) There are several, especially security, problems with such external downloading/injecting features - similar to those as one has them with many (but not all) downloader packages. - The put trust for code which gets executed (likely even as root) into another party (the ruby gem author), for which the Debian user/admin likely doesn't want to put trust in. - It circumvents the package management system. - And also the security support from Debian. - If an attacker can control the code of the gem (which is downloaded in such manner) he could selectively attack only certain people, making such attack basically impossible to ever notice (which is less easy when the same code is guaranteed to be used by *all*, as it's the case when it's properly packaged). - On a first glance (I haven't looked into all details) it seems that the certs from ca-certificates would be used for authenticating such external gems? Or did I get that wrong? Anyway, that would really be a serious problem, that contains gazillions of CAs where many of them have proven countless times to be either incompetent or simply straight malicious. It's of course fine to have probperly (Debian)packaged gems being used, but any form of possible way that code get's installed (without the admin or user doing it manually or via the package management system (talking about dpkg/apt here)) is IMHO a quite severe security breach, and as such there should be a way to have ruby gems in Debian configured (per default) so that this isn't possible. But just that seems to work: e.g. # gem install rubygems-update Fetching: rubygems-update-2.4.8.gem (100%) Successfully installed rubygems-update-2.4.8 1 gem installed Installing ri documentation for rubygems-update-2.4.8... Installing RDoc documentation for rubygems-update-2.4.8... # And that even though there seem to be no trusted certificate configured: # gem cert --list # Best wishes, Chris. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
