Ruby gems are still not safe to use

In the light of the recent Rubygems.org security compromise the community has been looking at ways to make Rubygems.org and Ruby gems in general more secure. The project is still ongoing and feel free to help them out on #rubygems on Freenode, but here is a highlight of what I think are some of the main issues.

Some of the issues highlighted here are taken from Ben Smith’s enlightening (but scary) talk at Aloha Ruby Conference.

Disclaimer

I am not a security expert. I am just a Ruby developer and a gem author that is worried about the current state of the Ruby gems ecosystem. I also am worried that the next negative news around Ruby will involve the problems described below.

What are Ruby gems and what is Rubygems.org?

For those not familiar, Rubygems.org is the most popular repository of “gems” for the Ruby language. Gems are libraries made up out of Ruby (and optionally C) code and can be uploaded by anyone who registered for an account. Rubygems.org currently hosts 50,685 gems which have been downloaded 1,259,533,358 times since July 2009. Ruby gems are not only hosted on Rubygems.org, anyone can run their own repository but Rubygems.org is definitely the most used one.

Current state

Some parts of the current infrastructure are worrying.

Proposals for change

How can I help?

Did I miss anything?

Please let me know and I’ll add it to the list.

comments powered by Disqus