Maybe I’m just being paranoid here, but I’m starting to get a little worried that RubyGems could be a nasty attack vector, given certain combinations of malice and stupidity.

Six months ago, the Ape project picked up some collaborators with way more Ruby-savvy than I have, and in short order they moved it to RubyForge and made it into a Gem. Which means that anyone who uses RubyGems, i.e. every Ruby developer in the world, can type

sudo gem install ape

then when they type ape_server , there’s a mongrel and a handy local Ape running on port 4000. What’s not to like?

Well, I eventually came to wonder, where is ape_server anyhow? In /usr/bin , it turns out. Which is in root’s path on OS X, GNU/Linux, and Solaris. OK then, so if gem routinely dumps programs in /usr/bin , who’s entitled to create Gems? Anyone with a RubyForge account, it seems. So, how do you get one of those? Well, by going to rubyforge.org and clicking on “New Account”.

Am I being paranoid, or is this maybe a problem?

Scenario: J. Evil Hacker creates a naked_celebrity_video gem and announces it to the world. Installing it, as a side-effect, creates /usr/bin/ls . Or, J.E.H. submits some good patches to a well-known gem and eventually gets blessed as a committer: /usr/bin/ls . Or, J.E.H. manages to get access to a logged-on computer belonging to a well-known gem maintainer; someone who knows what they’re doing, given about fifteen minutes: /usr/bin/ls .