Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner warns developers to verify gems for file tampering

Fahmida Y. Rashid | April 8, 2016
While believes none of the gems have been maliciously modified, authors should check and verify

The impact on the developer community also appears limited, as gem files modified through this vulnerability would not be installable via the standard "gem install" command, Radcliffe said. The gem can't be installed this way, but that doesn't necessarily mean the file is entirely harmless. One possibility is that the gem could have been swapped with a malware executable that would infect the system after being downloaded.

Trusting community repositories

When it comes to downloading from the Internet, the general practice is to grab the files from official sources. But there's been a lot of discussion recently about the trustworthiness of these repositories.

The recent attack against Linux Mint's website resulted in users being tricked into downloading a modified ISO of Linux Mint 17.3 Cinnamon. The Node.js community has also had a number of discussions on Reddit and GitHub over the past few days about NPM's trust model and whether or not the modules from the package manager can be trusted. At this point, there is no way to verify.

The team at has done a thorough investigation to assure Ruby developers the gems available through the service is safe, and the current policy of using checksums is a good step toward maintaining trust. But here's yet another reminder that official sources can be polluted, and it's up to individual users to balance the risks of obtaining third-party code with the benefits of reusable code.

Source: Infoworld 


Previous Page  1  2 

Sign up for CIO Asia eNewsletters.