Comments on: Ruby Gems as an attack vector http://rc3.org/2008/08/31/ruby-gems-as-an-attack-vector/ Rafe Colburn on software development (and other topics) Mon, 21 May 2012 23:52:43 +0000 hourly 1 http://wordpress.org/?v=3.3.2 By: po http://rc3.org/2008/08/31/ruby-gems-as-an-attack-vector/comment-page-1/#comment-3020 po Sun, 14 Sep 2008 21:10:22 +0000 http://rc3.org/?p=8418#comment-3020 <blockquote> <p>I thought that was supposed to be part of their whole value-add</p> </blockquote> <p>I've only ever seen this as a feature point with security-oriented Linux distributions like Trustix and Engarde. Those distributions tend to base their security model on a framework like SELinux or AppArmor combined with a reduction in packages to reduce the attack surface.</p> <p>Since many package maintainers seem to handle hundreds of packages it seems improbable that they do a security audit for each. If they do, it's certainly not documented well.</p>

I thought that was supposed to be part of their whole value-add

I’ve only ever seen this as a feature point with security-oriented Linux distributions like Trustix and Engarde. Those distributions tend to base their security model on a framework like SELinux or AppArmor combined with a reduction in packages to reduce the attack surface.

Since many package maintainers seem to handle hundreds of packages it seems improbable that they do a security audit for each. If they do, it’s certainly not documented well.

]]> By: genehack http://rc3.org/2008/08/31/ruby-gems-as-an-attack-vector/comment-page-1/#comment-2979 genehack Wed, 03 Sep 2008 10:10:48 +0000 http://rc3.org/?p=8418#comment-2979 <blockquote> <p>It would be foolish to expect that distribution maintainers vet every library.</p> </blockquote> <p>I thought that was supposed to be part of their whole value-add though -- because otherwise, why not just use a community-supported distro?</p> <p>Rafe, I'd love to hear the "developers are the enemy of the sysadmin" post; I'm not sure I agree with you...</p>

It would be foolish to expect that distribution maintainers vet every library.

I thought that was supposed to be part of their whole value-add though — because otherwise, why not just use a community-supported distro?

Rafe, I’d love to hear the “developers are the enemy of the sysadmin” post; I’m not sure I agree with you…

]]> By: po http://rc3.org/2008/08/31/ruby-gems-as-an-attack-vector/comment-page-1/#comment-2978 po Wed, 03 Sep 2008 04:24:11 +0000 http://rc3.org/?p=8418#comment-2978 <p>One thing any of these packaging systems should steal from yast, yum, apt, etc. is rudimentary code signing. Even the storied CPAN doesn't support this. (CPANPLUS does, however.) That would go a long way to stopping various real MITM attacks - and I'm including creative programmers among those in the middle.</p> <p>Using the bundled modules with distribution signatures as a safety is essentially another trusting-trust problem. Where did <em>they</em> download it? It would be foolish to expect that distribution maintainers vet every library.</p> One thing any of these packaging systems should steal from yast, yum, apt, etc. is rudimentary code signing. Even the storied CPAN doesn’t support this. (CPANPLUS does, however.) That would go a long way to stopping various real MITM attacks – and I’m including creative programmers among those in the middle.

Using the bundled modules with distribution signatures as a safety is essentially another trusting-trust problem. Where did they download it? It would be foolish to expect that distribution maintainers vet every library.

]]>