_whitelogger has joined #rubygems
<whitequark> notifying you that per request of yorickpeterse, my logger (irclog.whitequark.org) is now present on #rubygems and #rubygems-trust
<drbrain> whitequark: awesome
<whitequark> drbrain: any other channels I should add? also, he also says it would be good to import logs. I can do that.
<raggi> totally non-critical
<raggi> but iirc, it's freenode policy to notify that in the topic somewhere
<raggi> or in the link off the topic
<drbrain> whitequark: there's other channels in the topic, but I'm only in #rubygems-verification
<whitequark> yes
<drbrain> whitequark: and nothing interesting has happened there
<raggi> hehe :)
<drbrain> well, I mean, not today
<whitequark> drbrain: ok
technomancy has left #rubygems ["ERC Version 5.3 (IRC client for Emacs)"]
<whitequark> you can just write me if I should change something.
AntiTyping has joined #rubygems
technicalpickles has quit [Quit: Textual IRC Client: www.textualapp.com]
<whitequark> raggi: yeah, freenode policy. would you change the topic in these channels?
jessed has quit [Ping timeout: 248 seconds]
markstarkman has joined #rubygems
<drbrain> I've been privately logging this channel through corundum for some years now
<drbrain> whitequark: link to logs?
drbrain changed the topic of #rubygems to: Latest status: http://twitter.com/rubygems_status - http://status.rubygems.org - http://tinyurl.com/anqa5s5 logs: http://irclog.whitequark.org/rubygems | Current breakout rooms: #rubygems-aws #rubygems-verification #rubygems-exploit #rubygems-trust
<drbrain> whitequark: #rubygems-trust is -t
<drbrain> so you can set the topic :D
<whitequark> drbrain: done
notnerb has joined #rubygems
jessed has joined #rubygems
ckrailo has quit [Quit: Computer has gone to sleep.]
markstarkman has quit [Ping timeout: 264 seconds]
blaines has quit [Read error: Operation timed out]
hahuang65 has quit [Quit: Computer has gone to sleep.]
chipc has joined #rubygems
chipc has quit [Changing host]
chipc has joined #rubygems
chipc has left #rubygems [#rubygems]
dukedave has joined #rubygems
bobdixon has joined #rubygems
jessed has quit [Ping timeout: 264 seconds]
rlowe has joined #rubygems
cowboyd has joined #rubygems
bobdixon has quit [Quit: bobdixon]
jessed has joined #rubygems
baburdick has joined #rubygems
ReinH has quit [Read error: Connection reset by peer]
jfoy has quit [Remote host closed the connection]
bobdixon has joined #rubygems
sferik has joined #rubygems
drbrain has quit [Ping timeout: 255 seconds]
Defiler has quit [Remote host closed the connection]
yerhot has joined #rubygems
tenderlove has quit [Remote host closed the connection]
craigmcnamara has quit [Quit: craigmcnamara]
yerhot has quit [Remote host closed the connection]
krohrbaugh has joined #rubygems
bobdixon has quit [Quit: bobdixon]
imajes has quit [Excess Flood]
Boxcar21 has quit [Quit: Leaving...]
imajes has joined #rubygems
martinisoft has joined #rubygems
eighthbit has joined #rubygems
Boxcar21 has joined #rubygems
nateberkopec has joined #rubygems
nateberkopec has quit [Client Quit]
nateberkopec has joined #rubygems
drbrain has joined #rubygems
rlowe has quit [Quit: :wq]
craigmcnamara has joined #rubygems
havenn has joined #rubygems
Perceptes has quit [Quit: Leaving.]
jcaudle has joined #rubygems
Emily is now known as EmilyAFK
adf has joined #rubygems
Mab879 has joined #rubygems
craigmcnamara has quit [Quit: craigmcnamara]
jaxx has joined #rubygems
mr_ndrsn has joined #rubygems
Cakey has joined #rubygems
phlipper is now known as phlipper_
havenn has quit [Remote host closed the connection]
markstarkman has joined #rubygems
Mab879 has quit [Disconnected by services]
Mab879 has joined #rubygems
imajes has quit [Excess Flood]
markstarkman has quit [Ping timeout: 245 seconds]
imajes has joined #rubygems
unsay has joined #rubygems
greggroth has joined #rubygems
kyd has joined #rubygems
ben_h has joined #rubygems
greggroth has quit [Ping timeout: 252 seconds]
terceiro has quit [Quit: Ex-Chat]
jessed has quit [Quit: jessed]
EmilyAFK is now known as Emily
ReinH has joined #rubygems
<ReinH> hai!
Perceptes has joined #rubygems
jivebot has joined #rubygems
envygeeks has quit [Quit: Bye]
<drbrain> ReinH: hai!
envygeeks has joined #rubygems
envygeeks has quit [Changing host]
envygeeks has joined #rubygems
mr_ndrsn has quit [Quit: Gone]
<ReinH> drbrain: how are le things
cowboyd has quit [Remote host closed the connection]
<drbrain> ReinH: for me, good
iamjarvo1 has quit [Quit: Leaving.]
<drbrain> but I think the rubygems-aws folks are still hard at work
iamjarvo has joined #rubygems
imajes has quit [Excess Flood]
imajes has joined #rubygems
imajes has quit [Excess Flood]
virtualpain has joined #rubygems
imajes has joined #rubygems
ckelly has quit [Quit: Leaving...]
iamjarvo has quit [Quit: Leaving.]
ben_h has quit [Quit: ben_h]
Antiarc has joined #rubygems
craigmcnamara has joined #rubygems
eighthbit has quit [Quit: eighthbit]
jessed has joined #rubygems
craigmcnamara has quit [Quit: craigmcnamara]
stevenhaddox is now known as stevenhaddox|afk
huoxito has quit [Quit: Leaving]
_maes_ has joined #rubygems
ckelly has joined #rubygems
markstarkman has joined #rubygems
Antiarc has quit [Disconnected by services]
Antiarc has joined #rubygems
ckelly has quit [Quit: Leaving...]
markstarkman has quit [Ping timeout: 245 seconds]
Cakey has quit [Ping timeout: 256 seconds]
jessed has quit [Quit: jessed]
ben_h has joined #rubygems
craigmcnamara has joined #rubygems
jessed has joined #rubygems
alindeman has quit [Ping timeout: 245 seconds]
jcaudle has quit [Quit: jcaudle]
postmodern has joined #rubygems
jcaudle has joined #rubygems
jcaudle has quit [Client Quit]
hakunin has quit [Ping timeout: 248 seconds]
imajes has quit [Excess Flood]
alindeman has joined #rubygems
imajes has joined #rubygems
Emily is now known as EmilyAFK
jessed has quit [Quit: jessed]
lsegal has quit []
lsegal has joined #rubygems
hakunin has joined #rubygems
EmilyAFK is now known as Emily
hakunin has quit [Excess Flood]
envygeeks has quit [Quit: Bye]
jfoy has joined #rubygems
nateberkopec has quit [Quit: Leaving...]
hakunin has joined #rubygems
jaxx has quit [Ping timeout: 240 seconds]
craigmcnamara has quit [Quit: craigmcnamara]
ckelly has joined #rubygems
virtualpain has quit [Quit: Leaving]
xternal has quit [Ping timeout: 245 seconds]
jfoy has quit [Quit: jfoy]
ashleyis has quit [Read error: Connection reset by peer]
xternal has joined #rubygems
ashleyis has joined #rubygems
bhenerey has quit [Quit: Leaving.]
hakunin has quit [Ping timeout: 245 seconds]
hakunin has joined #rubygems
hakunin has quit [Remote host closed the connection]
eighthbit has joined #rubygems
dukedave has quit [Ping timeout: 276 seconds]
bnzmnzhnz has quit [Ping timeout: 252 seconds]
ben_h has quit [Quit: ben_h]
qmx is now known as qmx|away
ben_h has joined #rubygems
ddfreyne has left #rubygems [#rubygems]
adf has quit [Quit: Computer has gone to sleep.]
markstarkman has joined #rubygems
Emily is now known as EmilyAFK
ben_h has quit [Quit: ben_h]
adf has joined #rubygems
mockra_ has quit [Remote host closed the connection]
markstarkman has quit [Ping timeout: 245 seconds]
fromonesrc has quit [Quit: fromonesrc]
Defiler has joined #rubygems
EmilyAFK is now known as Emily
savonarola has joined #rubygems
DonOtreply has joined #rubygems
unsay has quit [Ping timeout: 252 seconds]
bnzmnzhnz has joined #rubygems
Emily is now known as EmilyAFK
EmilyAFK is now known as Emily
bnzmnzhnz has quit [Ping timeout: 252 seconds]
Emily is now known as EmilyAFK
ben_h has joined #rubygems
mockra has joined #rubygems
mockra has quit [Ping timeout: 244 seconds]
gcoderre has joined #rubygems
jessed has joined #rubygems
adf has quit [Quit: Computer has gone to sleep.]
unsay has joined #rubygems
t00r has joined #rubygems
<t00r> is it safe to do a "gem install"?
shtirlic has joined #rubygems
shtirlic has quit [Remote host closed the connection]
unsay has quit [Ping timeout: 245 seconds]
envygeeks has joined #rubygems
gcoderre has quit [Quit: gcoderre]
ben_h has quit [Read error: Connection reset by peer]
ben_h has joined #rubygems
eighthbit has quit [Quit: eighthbit]
osaut has joined #rubygems
<ben_h> ReinH: it's looking great, i've only been observing though
EmilyAFK is now known as Emily
jessed has quit [Quit: jessed]
zerstorer has joined #rubygems
lsegal has quit [Quit: Quit: Quit: Quit: Stack Overflow.]
Emily is now known as EmilyAFK
unsay has joined #rubygems
markstarkman has joined #rubygems
ben_h_ has joined #rubygems
ben_h has quit [Read error: Connection reset by peer]
ben_h_ is now known as ben_h
markstarkman has quit [Ping timeout: 264 seconds]
mockra has joined #rubygems
unsay has quit [Ping timeout: 245 seconds]
tbuehlmann has joined #rubygems
sferik has quit [Quit: ["Textual IRC Client: www.textualapp.com"]]
mockra has quit [Ping timeout: 252 seconds]
workmad3 has joined #rubygems
envygeeks has quit [Quit: Bye]
DonOtreply has quit [Quit: Computer has gone to sleep.]
ben_h has quit [Quit: ben_h]
ben_h has joined #rubygems
alexmreis has joined #rubygems
unsay has joined #rubygems
osaut has quit [Quit: osaut]
Boxcar21 has quit [Quit: Leaving...]
unsay has quit [Ping timeout: 256 seconds]
EmilyAFK is now known as Emily
johndouthat has quit [Quit: johndouthat]
savonarola has quit [Quit: Ухожу я от вас]
ckelly has quit [Quit: Leaving...]
Emily is now known as EmilyAFK
workmad3 has quit [Ping timeout: 244 seconds]
mockra has joined #rubygems
mockra has quit [Ping timeout: 276 seconds]
imajes has quit [Excess Flood]
unsay has joined #rubygems
imajes has joined #rubygems
zerstorer has quit [Remote host closed the connection]
unsay has quit [Ping timeout: 255 seconds]
markstarkman has joined #rubygems
ben_h has quit [Remote host closed the connection]
ben_h has joined #rubygems
unsay has joined #rubygems
markstarkman has quit [Ping timeout: 264 seconds]
backjlack has joined #rubygems
unsay has quit [Ping timeout: 255 seconds]
mockra has joined #rubygems
<ben_h> hmm, i'm getting 'incorrect header check' trying to install gems on 2.0.0-rc1
<ben_h> my guess is that this is on the ruby side, though.
tbuehlmann has quit [Remote host closed the connection]
mockra has quit [Ping timeout: 245 seconds]
imajes has quit [Excess Flood]
imajes has joined #rubygems
<xybre> Just noticed, the https://rubygems.org/stats page isn't properly ordered. O_o
ben_h has quit [Quit: ben_h]
unsay has joined #rubygems
unsay has quit [Ping timeout: 255 seconds]
cbetta has joined #rubygems
backjlack has quit [Remote host closed the connection]
mockra has joined #rubygems
Egbrt has joined #rubygems
unsay has joined #rubygems
mockra has quit [Ping timeout: 260 seconds]
imajes has quit [Excess Flood]
imajes has joined #rubygems
ben_h has joined #rubygems
Perceptes has quit [Quit: Leaving.]
unsay has quit [Ping timeout: 252 seconds]
rafaelfranca has joined #rubygems
backjlack has joined #rubygems
markstarkman has joined #rubygems
markstarkman has quit [Ping timeout: 245 seconds]
unsay has joined #rubygems
teancom has quit [Remote host closed the connection]
<yorickpeterse> whitequark: awesome, thanks
tbuehlmann has joined #rubygems
AntiTyping has quit [Read error: Connection reset by peer]
AntiTyping has joined #rubygems
<t00r> ben_h: thanks.
t00r has quit [Quit: take notes.]
<ben_h> no problem :)
Plume has joined #rubygems
unsay has quit [Ping timeout: 276 seconds]
mockra has joined #rubygems
workmad3 has joined #rubygems
mockra has quit [Ping timeout: 264 seconds]
imajes has quit [Excess Flood]
imajes has joined #rubygems
stevenhaddox|afk is now known as stevenhaddox
workmad3 has quit [Ping timeout: 264 seconds]
jigfox has joined #rubygems
unsay has joined #rubygems
_diana_ has left #rubygems [#rubygems]
greggroth has joined #rubygems
x0F_ has joined #rubygems
x0F has quit [Disconnected by services]
x0F_ is now known as x0F
Egbrt has quit [Ping timeout: 245 seconds]
unsay has quit [Ping timeout: 248 seconds]
teancom has joined #rubygems
jaxx has joined #rubygems
greggroth has quit [Ping timeout: 252 seconds]
greggroth has joined #rubygems
teancom has quit [Remote host closed the connection]
unsay has joined #rubygems
greggroth has quit [Ping timeout: 276 seconds]
workmad3 has joined #rubygems
mockra has joined #rubygems
Cakey has joined #rubygems
imajes has quit [Excess Flood]
mockra has quit [Ping timeout: 260 seconds]
imajes has joined #rubygems
stevenhaddox has quit [Ping timeout: 264 seconds]
unsay has quit [Ping timeout: 256 seconds]
terceiro has joined #rubygems
bhenerey has joined #rubygems
imperator has joined #rubygems
markstarkman has joined #rubygems
postmodern has quit [Quit: Leaving]
markstarkman has quit [Ping timeout: 245 seconds]
sjaq has joined #rubygems
sjaq has quit [Remote host closed the connection]
teancom has joined #rubygems
anon4224124 has quit [Ping timeout: 252 seconds]
workmad3 has quit [Ping timeout: 264 seconds]
unsay has joined #rubygems
ben_h has quit [Quit: ben_h]
unsay has quit [Ping timeout: 252 seconds]
osaut has joined #rubygems
eighthbit has joined #rubygems
fozze has joined #rubygems
jigfox has quit [Quit: jigfox]
nateberkopec has joined #rubygems
nateberkopec has quit [Client Quit]
ckelly has joined #rubygems
workmad3 has joined #rubygems
jigfox has joined #rubygems
corundum has quit [Ping timeout: 245 seconds]
Plume has quit [Ping timeout: 256 seconds]
fozze has quit [Quit: WeeChat 0.3.9.2]
mockra has joined #rubygems
bnzmnzhnz has joined #rubygems
bhenerey has quit [Quit: Leaving.]
teancom has quit [Remote host closed the connection]
imajes has quit [Excess Flood]
mockra has quit [Ping timeout: 252 seconds]
jigfox has quit [Quit: jigfox]
imajes has joined #rubygems
unsay has joined #rubygems
osaut has quit [Read error: Connection reset by peer]
corundum has joined #rubygems
osaut has joined #rubygems
Cakey has quit [Ping timeout: 276 seconds]
unsay has quit [Ping timeout: 248 seconds]
<schisamo> back
HHRy has left #rubygems [#rubygems]
derekprior has quit [Quit: Textual IRC Client: www.textualapp.com]
workmad3 has quit [Ping timeout: 252 seconds]
havenn has joined #rubygems
mockra has joined #rubygems
mockra has quit [Remote host closed the connection]
backjlack has quit [Read error: Connection reset by peer]
unsay has joined #rubygems
mhfs has joined #rubygems
unsay has quit [Ping timeout: 255 seconds]
mhfs has quit [Client Quit]
markstarkman has joined #rubygems
mockra has joined #rubygems
mr_ndrsn has joined #rubygems
teancom has joined #rubygems
osaut has quit [Quit: osaut]
markstarkman has quit [Ping timeout: 245 seconds]
osaut has joined #rubygems
mockra has quit [Ping timeout: 245 seconds]
teancom has quit [Remote host closed the connection]
teancom has joined #rubygems
KenDhia has joined #rubygems
<whitequark> yay clickbait
<qrush> totally link bait
<whitequark> haha HN submission has 11 points
<Antiarc> qrush: I put together a proposal for a security infrastructure last night. Would love your thoughts if your hair is not-on-fire yet.
teancom has quit [Remote host closed the connection]
<qrush> Antiarc: i'm helping to run a barcamp in Buffalo today - you should post anything like that to rubygems-developers if it involves the client lib, or the google group for rubygems.org if it involves the rails app
<Antiarc> qrush: Will do. It would involve changes to both, so I'll cross-post it.
<qrush> i am not a security expert by any means - if you want to enact real change please stick around, be patient and persistent
<Antiarc> Will do. I don't want to add to your load, but do want to help solve this for the future. :)
<zzak> if you really want to make a difference, write a blog post or tweet and post it on hn
<Antiarc> heh
<zzak> :(
<qrush> zzak: :(
<yorickpeterse> zzak: preferrably also bitch out it on Twitter
<yorickpeterse> "ZOMG RUBYGEMS IS RUN BY SCRUBS, I CAN TOTALLY DO THA...oh wait"
<yorickpeterse> Now lets see how bad last night's code for mirroring Rubygems was
Elhu has joined #rubygems
<zzak> thanks for your hard work everyone, im sorry people have to suck sometimes <3
bhenerey has joined #rubygems
sdudenhofer has joined #rubygems
unsay has joined #rubygems
<raggi> cbetta: "stop runnign code on install" <- this is basically impossible
<raggi> it's also pointless
<raggi> people who don't pay attention do something like this:
<raggi> gem install somegem && irb -> >> require 'somegem'
<raggi> it makes no difference, so lets be real
<qrush> i think most people do that, even those that pay attention
<raggi> qrush: i acutally read gem sources
<qrush> raggi: you're one of the few ;)
<raggi> but i don't know really anyone else that does
<raggi> i know
<raggi> :(
workmad3 has joined #rubygems
<whitequark> qrush: I'm fairly certain I could get crap past your radar
<qrush> the entire system is built on personal trust
<raggi> and honestly, i still at times install things blind, i certainly don't read every version
<qrush> which isn't enough anymore
<raggi> yeah
<qrush> whitequark: well, no shit :)
<raggi> it is
<raggi> it will ahve to be
<dbussink> raggi: i think the question is more, do you also read all dependencies then ;)
<raggi> we can add some level of "repeat trust"
<raggi> but
<raggi> dbussink: yes, at least once, at least one version
<raggi> dbussink: but i read something once to trust it, after that i rarely read it again
<cbetta> raggi qrush video also points out that lots of people read code they think is the source
mockra has joined #rubygems
<cbetta> they read github but source code might be something very different
<raggi> yeah
<raggi> er
<raggi> gem unpack gemname
Elhu has quit [Quit: Computer has gone to sleep.]
<raggi> anyway
<raggi> that aspect of "trust the original author" never goes away
<raggi> the *only* way to solve that
<raggi> is to read the stuff
<raggi> you can move the trust sideways
fromonesrc has joined #rubygems
Mab879 has quit [Quit: quit]
<cbetta> raggi qrush what worries me is the collection of those problems
<raggi> say have a list of public volunteers that review every gem before release
<cbetta> together they make for some very interesting scenarios
<cbetta> as pointed out in the Aloha ruby conf
<raggi> but then you are just testing that team
<raggi> so you didn't solve the trust problem
<raggi> you just moved it sideways
<raggi> this is the same as your OS
<raggi> you're runnign code from thousands of people
<raggi> do you trust them all?
<dbussink> the whole thing is turtles all the way down
<raggi> do you have signatures from every line they wrote?
<cbetta> solving 1 of them wont do much, but addign road block for every one will make a potential exploit of any kind a lot less dangerous
<dbussink> do you trust your hardware?
teancom has joined #rubygems
<raggi> dbussink: exactly
<whitequark> raggi: on a debian system, that is pretty much the case
<raggi> cbetta: that's not true
<raggi> cbetta: the recent PoC would have been pushed by someone regardless of these "roadblocks"
<raggi> intent has this magical way of not giving a crap how big the wall is
<cbetta> raggi my problem isnt with the recent PoC
<cbetta> but with other potential exploits
<raggi> you want someone to take the responsibility of safety from you
<raggi> and if you want that, you're going to need to pay for it
<raggi> (and maybe now you realize why people pay for commercial libraries still today)
<whitequark> raggi: (not that they commonly have better track records at security than OSS ones)
gcoderre has joined #rubygems
<raggi> yes, they do
<raggi> certainly for internal and release level security
<raggi> much better
mockra has quit [Ping timeout: 276 seconds]
<raggi> don't get religious or be blinded by internet commentary
<whitequark> well it probably depends on what do you call "libraries"
<whitequark> nay, talking from personal experience
<raggi> i'm not having this argument with someone on the internet
unsay has quit [Ping timeout: 264 seconds]
<whitequark> the most notable example I've seen is flexlm, a license management library which leaks its master private key
<whitequark> widely used
<whitequark> but whatever
Leeky has joined #rubygems
<jrgifford> qrush: so, you think a debian or centos/fedora type archive is needed now?
<jrgifford> right now, rubygems is kind of the wild west - like the arch user repo, except more interesting.
Leeky has left #rubygems [#rubygems]
<raggi> jrgifford: what isn't "the wild west"?
<raggi> and what properties are real differentiating factors to end user trust
Plume has joined #rubygems
kyrylo has joined #rubygems
<jrgifford> right now, there is no method of trust. it's just a "Oh, this gem looks interesting".
<raggi> that isn't an answer
<jrgifford> raggi: the debian archives aren't the wild west.
<jrgifford> ^^ imagine if someone did something like that. but it actually *did* that, instead of just saying ruby developers are stupid and will install anything.
<raggi> jrgifford: how do you know the debian archives are any different?
<jrgifford> raggi: the debian archives have a process for getting *in*.
<jrgifford> raggi: and i use debian based stuff every day.
<raggi> you use gems every day too
<raggi> (probably)
<jrgifford> i do.
<teancom> debian has hundreds of developers and volunteers, and process developed over the last 15 years. rubygems - even with the people that have jumped on in the last week (hi! I'm one of them) might have as many as 20.
<teancom> ^^ the difference
<raggi> that's proportional with the size of user base
<raggi> but regardless
<raggi> jrgifford: why do you trust debian reviewers?
gcoderre has quit [Quit: gcoderre]
<jrgifford> raggi: pgp.
<jrgifford> and the fact it requires a sponsor of packageA, then it *might* get it.
imajes has quit [Excess Flood]
<raggi> you trust people to do the right thing because they use a crypto technology?
<jrgifford> there is a review process of both the uploaders and the package itself.
imajes has joined #rubygems
<jrgifford> rubygems doesn't have that. it's almost like the PPAs that ubuntu has, except everything is in the main repository.
<raggi> does taht review process involve reading all the code in every version?
kyrylo has left #rubygems ["Recharging eyes…"]
neilb14 has joined #rubygems
<jrgifford> don't think it does, but it is still more structured, and things don't get uploaded immediately. they get pushed into -proposed (in ubuntu, in debian its into sid), where volunteers test them. if bad things happen, then the package gets taken apart, rebuilt and bugfixed, if nothing happens, then it gets moved into the stable release channel.
<raggi> i'm runnign out of time, as i'm going on a hike, i'd like to keep leading you rather than telling you, but i'll leave you with this
<raggi> debian packages include many rubygems, many of which have these problems, and rubygems itself, whcih certainly contains the problems we just had
<raggi> there is no reason to believe that the process is any more robust for other packages than for rubygems
<raggi> you trust them because you feel you should, you see some justification in their choices and so on
<raggi> but fundamentally, you choose to trust what you install
<jrgifford> i choose to trust what i install because i have a trail. a trail of gpg signings, real people, emails, bug reports, checksums etc. a trail that rubygems doesn't have (for most gems).
<jrgifford> enjoy your hike!
<raggi> so you want knecks to wring
<raggi> and sure
<raggi> we actually have that today
pgmcgee has joined #rubygems
<qrush> jrgifford: Not sure but I love the debian style indexing of packages - solves so many problems we have struggled with for a long time
<qrush> jrgifford: the problem we have over linux distros is that our stuff needs to work on all platforms
<jrgifford> qrush: there are pros and cons either way - with more structure, you end up with a potentially stiff and painful process that goes against the "shipit" mentality that ruby people supposedly have.
dontbecold_ has joined #rubygems
<jrgifford> and there is the "this needs to work on everything, not just *NIX stuff" side as well.
luoluoluo has joined #rubygems
<qrush> Agreed :) One thing i don't want to lose is the easyness of `gem push` :)
<qrush> if that means there's more setup or signing, or whatever - fine
<qrush> things obviously have to change, i'm just not sure how...now that we are stable again it's time to start talking about this.
KenDhia has quit [Ping timeout: 264 seconds]
<raggi> i certainyl think the CA approach helps us, for the same reason it helps apt
<raggi> we can permaban keys, and track down all affected packages, etc
<raggi> which provides a recovery against evil individuals
teancom has quit [Remote host closed the connection]
<raggi> and in this regard, i'm all for signing
eighthbit has quit [Quit: eighthbit]
<raggi> but we also need policy for that stuff, even before process
<raggi> like, should we be banning Ben for publishing evil gems?
<raggi> or is he ok, because he was giving a talk?
teancom has joined #rubygems
osaut has quit [Quit: osaut]
mockra has joined #rubygems
<raggi> what about postmodern, it was his code that was pushed in the PoC?
<raggi> the lines are hard to draw
pearkes has quit [Quit: IRCRelay - http://ircrelay.com]
pearkes has joined #rubygems
mockra has quit [Ping timeout: 248 seconds]
<raggi> we just received our first actual proposal on the ML :)
luoluoluo has quit [Quit: 离开]
teancom has quit [Remote host closed the connection]
bcardarella has left #rubygems [#rubygems]
bhenerey has quit [Quit: Leaving.]
unsay has joined #rubygems
teancom has joined #rubygems
workmad3 has quit [Ping timeout: 245 seconds]
<qrush> wow - thanks Antiarc. i need to soak this in but can't today
greggroth has joined #rubygems
maledale has joined #rubygems
<yorickpeterse> TIL Rack has had quite a few releases
<yorickpeterse> ls sync/rubygems/quick/Marshal.4.8/ | wc -l # => 72, that's not just Rack though
teancom has quit [Remote host closed the connection]
vanstee has quit [Quit: Computer has gone to sleep.]
jaxx has quit [Ping timeout: 240 seconds]
Antiarc|Nexus has joined #rubygems
Antiarc|Nexus has quit [Client Quit]
Boxcar21 has joined #rubygems
Antiarc|Nexus has joined #rubygems
Plume has quit [Ping timeout: 260 seconds]
Egbrt has joined #rubygems
adf has joined #rubygems
calmyournerves has joined #rubygems
Spacegho_ has joined #rubygems
onemanjujitsu has joined #rubygems
eighthbit has joined #rubygems
mlen has left #rubygems ["WeeChat 0.4.0"]
mockra has joined #rubygems
mockra has quit [Ping timeout: 252 seconds]
tmilewski has joined #rubygems
therealadam has joined #rubygems
Egbrt has quit [Quit: Egbrt]
DonOtreply has joined #rubygems
onemanjujitsu has quit [Quit: onemanjujitsu]
johndouthat has joined #rubygems
stevenhaddox has joined #rubygems
dukedave has joined #rubygems
teancom has joined #rubygems
<raz> hm, this signing discussion keeps shifting around across channels, github, now ml ;)
<raz> fwiw, i've added my counterpoint against a central CA here https://github.com/rubygems-trust/rubygems.org/issues/3
<calmyournerves> Help needed anywhere?
cbetta is now known as cbetta_afk
alexmreis has quit [Quit: alexmreis]
alexmreis has joined #rubygems
DonOtreply has quit [Quit: Computer has gone to sleep.]
alexmreis has quit [Quit: alexmreis]
nateberkopec has joined #rubygems
vanstee has joined #rubygems
bnzmnzhn` has joined #rubygems
dontbecold_ has quit [Quit: dontbecold_]
bnzmnzhnz has quit [Ping timeout: 240 seconds]
dontbecold_ has joined #rubygems
nateberkopec has quit [Client Quit]
nateberkopec has joined #rubygems
bnzmnzhn` has quit [Ping timeout: 255 seconds]
onemanjujitsu has joined #rubygems
neilb14 has quit [Ping timeout: 245 seconds]
twopoint718 has joined #rubygems
twopoint718 has quit [Changing host]
twopoint718 has joined #rubygems
thereala_ has joined #rubygems
teancom has quit [Remote host closed the connection]
therealadam has quit [Ping timeout: 240 seconds]
mockra has joined #rubygems
ckelly has quit [Quit: Leaving...]
KenDhia has joined #rubygems
mockra has quit [Ping timeout: 260 seconds]
lsegal has joined #rubygems
Antiarc|Nexus has quit [Read error: Connection reset by peer]
tmilewski has quit [Quit: tmilewski]
Antiarc|Nexus has joined #rubygems
havenn has quit [Remote host closed the connection]
nfk has joined #rubygems
phlipper_ is now known as phlipper
andrewhubbs has joined #rubygems
andrewhubbs has quit [Client Quit]
KenDhia has quit [Ping timeout: 252 seconds]
maledale has quit [Quit: maledale]
andrewhubbs has joined #rubygems
maledale has joined #rubygems
snooc has joined #rubygems
KenDhia has joined #rubygems
ckelly has joined #rubygems
cowboyd has joined #rubygems
markstarkman has joined #rubygems
kallistec is now known as ddeleo
teancom has joined #rubygems
Spacegho_ has quit [Remote host closed the connection]
DonOtreply has joined #rubygems
markstarkman has quit [Ping timeout: 245 seconds]
dukedave has quit [Quit: Leaving.]
craigmcnamara has joined #rubygems
tmilewski has joined #rubygems
cbetta_afk is now known as cbetta
DonOtreply has quit [Quit: Computer has gone to sleep.]
someara has left #rubygems [#rubygems]
cowboyd has quit [Remote host closed the connection]
Perceptes has joined #rubygems
workmad3 has joined #rubygems
DonOtreply has joined #rubygems
teancom has quit [Remote host closed the connection]
werdnativ has joined #rubygems
dukedave has joined #rubygems
unsay has quit [Ping timeout: 252 seconds]
alexmreis has joined #rubygems
unsay has joined #rubygems
mockra has joined #rubygems
thereala_ has quit [Remote host closed the connection]
bhenerey has joined #rubygems
mr_ndrsn has quit [Quit: mr_ndrsn]
mockra has quit [Ping timeout: 244 seconds]
mr_ndrsn has joined #rubygems
cowboyd has joined #rubygems
jfelchner has quit [Ping timeout: 264 seconds]
havenn has joined #rubygems
KenDhia has quit [Ping timeout: 245 seconds]
onemanjujitsu has quit [Quit: onemanjujitsu]
jfelchner has joined #rubygems
maledale has quit [Quit: maledale]
eighthbit has quit [Quit: eighthbit]
unsay has quit [Ping timeout: 252 seconds]
calmyournerves has quit [Quit: Leaving.]
vertis has left #rubygems [#rubygems]
vertis has joined #rubygems
calmyournerves_ has joined #rubygems
KenDhia has joined #rubygems
craigmcnamara has quit [Quit: craigmcnamara]
jfoy has joined #rubygems
jeer has joined #rubygems
Plume has joined #rubygems
onemanjujitsu has joined #rubygems
havenn has quit [Remote host closed the connection]
havenn has joined #rubygems
havenn has quit [Ping timeout: 252 seconds]
werdnativ has quit [Quit: werdnativ]
Antiarc|Nexus has quit [Read error: Connection reset by peer]
Antiarc|Nexus has joined #rubygems
knowtheory has joined #rubygems
Antiarc|Nexus has quit [Client Quit]
osaut has joined #rubygems
mockra has joined #rubygems
jfoy has quit [Quit: jfoy]
greggroth has quit [Ping timeout: 252 seconds]
mockra has quit [Ping timeout: 245 seconds]
pewter_tao has joined #rubygems
calmyournerves_ has quit [Quit: Leaving.]
snooc has quit [Remote host closed the connection]
calmyournerves has joined #rubygems
alexmreis has quit [Quit: alexmreis]
sdudenhofer has quit [Quit: http://quassel-irc.org - Chat comfortably. Anywhere.]
havenn has joined #rubygems
onemanjujitsu has quit [Quit: onemanjujitsu]
pewter_tao has quit [Ping timeout: 252 seconds]
markstarkman has joined #rubygems
notnerb has quit [Quit: Leaving.]
notnerb has joined #rubygems
notnerb has quit [Read error: Connection reset by peer]
notnerb has joined #rubygems
notnerb has quit [Client Quit]
markstarkman has quit [Ping timeout: 245 seconds]
cowboyd has quit [Remote host closed the connection]
Plume has quit [Quit: Instantbird 1.3 -- http://www.instantbird.com]
kseifried has joined #rubygems
unsay has joined #rubygems
workmad3 has quit [Ping timeout: 255 seconds]
unsay has quit [Ping timeout: 245 seconds]
Perceptes has quit [Quit: Leaving.]
KenDhia has quit [Ping timeout: 260 seconds]
gabceb has quit [Quit: gabceb]
havenn has quit [Read error: Connection reset by peer]
alexmreis has joined #rubygems
havenn has joined #rubygems
onemanjujitsu has joined #rubygems
knowtheory has quit [Quit: Computer has gone to sleep]
knowtheory has joined #rubygems
samkottler has quit [Remote host closed the connection]
dukedave has quit [Ping timeout: 255 seconds]
knowtheory has quit [Ping timeout: 276 seconds]
samkottler has joined #rubygems
alexmreis has quit [Quit: alexmreis]
samkottler has quit [Changing host]
samkottler has joined #rubygems
havenn has quit [Remote host closed the connection]
havenn has joined #rubygems
mockra has joined #rubygems
ckelly has quit [Quit: Leaving...]
mockra has quit [Ping timeout: 260 seconds]
jfoy has joined #rubygems
onemanjujitsu has quit [Quit: onemanjujitsu]
davidfstr has joined #rubygems
onemanjujitsu has joined #rubygems
alexmreis has joined #rubygems
alexmreis_ has joined #rubygems
alexmreis has quit [Ping timeout: 245 seconds]
alexmreis_ is now known as alexmreis
davidfstr has quit []
rafaelfranca has quit [Ping timeout: 245 seconds]
dukedave has joined #rubygems
dontbecold_ has quit [Quit: dontbecold_]
jfoy has quit [Quit: jfoy]
mose has quit [Ping timeout: 244 seconds]
mose has joined #rubygems
hakunin has joined #rubygems
Boxcar21 has quit [Quit: Leaving...]
osaut has quit [Quit: osaut]
tbuehlmann has quit [Remote host closed the connection]
alexmreis has quit [Quit: alexmreis]
serge has joined #rubygems
mockra has joined #rubygems
cbetta has left #rubygems ["["Textual IRC Client: www.textualapp.com"]"]
mockra has quit [Ping timeout: 256 seconds]
markstarkman has joined #rubygems
onemanjujitsu has quit [Quit: onemanjujitsu]
<davidjrice> is there a way I can get a list of all rubygems that are insecure?
<kseifried> "insecure" in what way?
<drbrain> topic
<drbrain> davidjrice: see http://tinyurl.com/anqa5s5 for what verification we've done
<kseifried> hmm good question, they have checked all the affected gems against known good and confirmed they are known good
<kseifried> ah drbrain lives
<drbrain> davidjrice: all gems have been verified with at least one third-party SHA512 checksum
markstarkman has quit [Ping timeout: 245 seconds]
<davidjrice> sorry. I mean. A rubygem that has been marked as insecure. YAML/JSON load bugs, etc
<davidjrice> is there such a data source?
<kseifried> davidjrice: you means takes user input and passes via yaml/json/etc
<drbrain> davidjrice: we removed all gems with an exploit in the YAML metadata
<drbrain> but we don't have a list of gems that take user input and parse yaml/json/marshal etc.
<kseifried> davidjrice: if you start auditing can you let kseifried@redhat.com know your results? thanks
knowtheory has joined #rubygems
mephux has quit [Excess Flood]
nmeum has joined #rubygems
mephux has joined #rubygems
workmad3 has joined #rubygems
telmich has joined #rubygems
petersaints has joined #rubygems
<indirect> drbrain: sent you an email about sources in bundler… if you have a minute, could you tell me how rubygems currently handles it?
roolo has joined #rubygems