Hacker News new | past | comments | ask | show | jobs | submit | lawrencepit's comments login

Won't make a difference, it's possible to sign a gem with a metadata file that contains an exploit.


No, you miss the point. The idea is that if, say, Rails were signed, someone wiht an exploit couldn't attack rubygems to _modify rails_ without it being discovered, because they wouldn't be able to sign their modified rails.

The point of signing gems is not that any signed gem is neccesarily trustworthy. It's that any signed gem is neccesarily what the signature owner distributed, and has not been modified by someone else since.

But to make that so requires a bunch of things, it's not quite as simple as 'everyone just has to sign their gems'. But that's the idea.


Sure thing:

Security announcement: Devise v2.2.3, v2.1.3, v2.0.5 and v1.5.4 released

http://blog.plataformatec.com.br/2013/01/security-announceme...


Upgrade immediately unless you are using PostgreSQL or SQLite3.

So using a real database mitigated the entire issue. Secondly, this security issue doesn't allow you to retrieve every user's password in 8 hours.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: