Somehow hoe-1.1.7 has become poisoned in the RubyGems index:
$ sudo gem install hoe
Install required dependency zentest? [Yn] ^CERROR: Interrupted
There is no gem by the name of 'zentest', and hoe will likely never depend on 'ZenTest'.
Until this is fixed you won't be able to install any Gems built with hoe-1.1.7.
This is obviously the work of someone extending rubygems to have developer dependencies. Regardless of intent: you had NO RIGHT to upload ANYTHING to the gem repository under someone else's name or project. NONE. EVER. To say that I'm unhappy about this (and you) is a vast f@cking understatement.
P.S. There is a suite of unit tests built-in to rubygems for exactly this purpose. You might want to try writing some quality code before you decide you're equipped enough to start working on rubygems.
On Jan 14, 2007, at 12:30 AM, Eric Hodel wrote:
Somehow hoe-1.1.7 has become poisoned in the RubyGems index:
$ sudo gem install hoe
Install required dependency zentest? [Yn] ^CERROR: Interrupted
There is no gem by the name of 'zentest', and hoe will likely never depend on 'ZenTest'.
Until this is fixed you won't be able to install any Gems built with hoe-1.1.7.
Actually, you can download hoe by hand:
http://rubyforge.org/frs/download.php/16275/hoe-1.1.7.gem
and install it by hand:
gem install hoe
To work around the infinite dependency loop.
On Jan 14, 2007, at 24:30, Eric Hodel wrote:
Somehow hoe-1.1.7 has become poisoned in the RubyGems index:
$ sudo gem install hoe
Install required dependency zentest? [Yn] ^CERROR: InterruptedThere is no gem by the name of 'zentest', and hoe will likely never depend on 'ZenTest'.
Until this is fixed you won't be able to install any Gems built with hoe-1.1.7.
--
Eric Hodel - drbrain@segment7.net - http://blog.segment7.net
YOU LIT MY GEM ON FIRE!
I want to apologize to the group on this one. It was cause my my
utter incomptence, and I know I really screwed up here, I was testing
adding dependencies, I thought I had it, and In a rush, I added the
bad Hoe gem to rubyforge under a different name, which, I did wrong,
and I shouldn't have done in the first place. After a while I
realized this could cause problems, so I deleted it, and checked, and
the issue wasn't affecting my machine yet, so I assumed I had caught
it before gems propogated, which I had not. I know this was a big
fu@king mistake, I know I should have handled it better than just
deleting the gem. I am very sorry, and hope that it gets resolved
soon, so people are no longer inconvenienced. If I can do anything to
help this mess, please contact me. I am sorry to you Eric, and to
this community.
On 1/14/07, Eric Hodel <drbrain@segment7.net> wrote:
Somehow hoe-1.1.7 has become poisoned in the RubyGems index:
$ sudo gem install hoe
Install required dependency zentest? [Yn] ^CERROR: InterruptedThere is no gem by the name of 'zentest', and hoe will likely never
depend on 'ZenTest'.Until this is fixed you won't be able to install any Gems built with
hoe-1.1.7.--
Eric Hodel - drbrain@segment7.net - http://blog.segment7.netI LIT YOUR GEM ON FIRE!
--
Chris Carter
concentrationstudios.com
brynmawrcs.com
Is the implication here that someone on seattle.rb uploaded a new gem, or that someone hacked Rubyforge to do it, or what? Just wondering, since if it's the latter others may need to check their gems too, and Tom Copeland should probably hear about it.
On Sun, 14 Jan 2007 08:44:25 -0000, Ryan Davis <ryand-ruby@zenspider.com> wrote:
On Jan 14, 2007, at 12:30 AM, Eric Hodel wrote:
Somehow hoe-1.1.7 has become poisoned in the RubyGems index:
$ sudo gem install hoe
Install required dependency zentest? [Yn] ^CERROR: Interrupted
There is no gem by the name of 'zentest', and hoe will likely never depend on 'ZenTest'.
Until this is fixed you won't be able to install any Gems built with hoe-1.1.7.This is obviously the work of someone extending rubygems to have developer dependencies. Regardless of intent: you had NO RIGHT to upload ANYTHING to the gem repository under someone else's name or project. NONE. EVER. To say that I'm unhappy about this (and you) is a vast f@cking understatement.
--
Ross Bamford - rosco@roscopeco.remove.co.uk
Please do not use RubyForge for testing without asking Tom first.
On 1/14/07, Chris Carter <cdcarter@gmail.com> wrote:
I want to apologize to the group on this one. It was cause my my
utter incomptence, and I know I really screwed up here, I was testing
adding dependencies, I thought I had it, and In a rush, I added the
bad Hoe gem to rubyforge under a different name, which, I did wrong,
and I shouldn't have done in the first place.
So if I have a RubyForge account I can upload a modified gem, of, say,
Rails, with a backdoor, and unknowing ruby users will accidentally install
it and open a backdoor in production rails servers?
This sounds bad. VERY bad.
WTF?
SonOfLilit
On 1/14/07, Chris Carter <cdcarter@gmail.com> wrote:
On 1/14/07, Eric Hodel <drbrain@segment7.net> wrote:
> Somehow hoe-1.1.7 has become poisoned in the RubyGems index:
>
> $ sudo gem install hoe
> Install required dependency zentest? [Yn] ^CERROR: Interrupted
>
> There is no gem by the name of 'zentest', and hoe will likely never
> depend on 'ZenTest'.
>
> Until this is fixed you won't be able to install any Gems built with
> hoe-1.1.7.
>
> --
> Eric Hodel - drbrain@segment7.net - http://blog.segment7.net
>
> I LIT YOUR GEM ON FIRE!
>
I want to apologize to the group on this one. It was cause my my
utter incomptence, and I know I really screwed up here, I was testing
adding dependencies, I thought I had it, and In a rush, I added the
bad Hoe gem to rubyforge under a different name, which, I did wrong,
and I shouldn't have done in the first place. After a while I
realized this could cause problems, so I deleted it, and checked, and
the issue wasn't affecting my machine yet, so I assumed I had caught
it before gems propogated, which I had not. I know this was a big
fu@king mistake, I know I should have handled it better than just
deleting the gem. I am very sorry, and hope that it gets resolved
soon, so people are no longer inconvenienced. If I can do anything to
help this mess, please contact me. I am sorry to you Eric, and to
this community.--
Chris Carter
concentrationstudios.com
brynmawrcs.com
Hi Chris -
Can you please drop me a note offlist at tom@infoether.com? It seems
the code I wrote to prevent just these sorts of situations may not have
been sufficient. I'd definitely appreciate you help in sorting things
out...
Thanks,
Tom
On Mon, 2007-01-15 at 00:42 +0900, Chris Carter wrote:
I want to apologize to the group on this one. It was cause my my
utter incomptence, and I know I really screwed up here, I was testing
adding dependencies, I thought I had it, and In a rush, I added the
bad Hoe gem to rubyforge under a different name, which, I did wrong,
and I shouldn't have done in the first place. After a while I
realized this could cause problems, so I deleted it, and checked, and
the issue wasn't affecting my machine yet, so I assumed I had caught
it before gems propogated, which I had not. I know this was a big
fu@king mistake, I know I should have handled it better than just
deleting the gem. I am very sorry, and hope that it gets resolved
soon, so people are no longer inconvenienced. If I can do anything to
help this mess, please contact me. I am sorry to you Eric, and to
this community.
<snip>
Just to tell you that I feel very much with you, I am the King of making
Mistakes like that.
I know how one feels.
You are very brave, hopefully that will be considered in your favor 
<snip>
Cheers
Robert
On 1/14/07, Chris Carter <cdcarter@gmail.com> wrote:
I want to apologize ...
Chris Carter wrote:
I want to apologize to the group on this one. It was cause my my
utter incomptence, and I know I really screwed up here, I was testing
adding dependencies, I thought I had it, and In a rush, I added the
bad Hoe gem to rubyforge under a different name, which, I did wrong,
and I shouldn't have done in the first place. After a while I
realized this could cause problems, so I deleted it, and checked, and
the issue wasn't affecting my machine yet, so I assumed I had caught
it before gems propogated, which I had not. I know this was a big
fu@king mistake, I know I should have handled it better than just
deleting the gem. I am very sorry, and hope that it gets resolved
soon, so people are no longer inconvenienced. If I can do anything to
help this mess, please contact me. I am sorry to you Eric, and to
this community.
Just as an aside, you're not the first to do mistakes like this... Sometime in September I uploaded a gem to RubyForge that was generated with JRuby. At that point in time there was a flaw in the JRuby YAML library that regular Ruby (and SYCK) couldn't handle, which resulted in the complete RubyForge gem-index being broken for a few hours. Quite embarrassing. (The JRuby issue was fixed very soon after that, of course, and JRuby is now safe to use for generating gems).
I would like to add that I find Ryans words quite harsh in the context. We all make mistakes.
--
Ola Bini (http://ola-bini.blogspot.com)
JvYAML, RbYAML, JRuby and Jatha contributor
System Developer, Karolinska Institutet (http://www.ki.se)
OLogix Consulting (http://www.ologix.com)
"Yields falsehood when quined" yields falsehood when quined.
I want to apologize to the group on this one. It was cause my my
utter incomptence, and I know I really screwed up here
<snip>
I am very sorry, and hope that it gets resolved
soon, so people are no longer inconvenienced. If I can do anything to
help this mess, please contact me. I am sorry to you Eric, and to
this community.
Chris,
Your public apology and offer to help in fixing any problems it caused
shows a lot of professionalism on your part. Everyone makes mistakes;
most people wouldn't voluntarily own up to them in front of the whole
community. You have my respect.
On Jan 14, 7:42 am, "Chris Carter" <cdcar...@gmail.com> wrote:
--
Regards,
John Wilger
Somehow hoe-1.1.7 has become poisoned in the RubyGems index:
$ sudo gem install hoe
Install required dependency zentest? [Yn] ^CERROR: Interrupted
There is no gem by the name of 'zentest', and hoe will likely never depend on 'ZenTest'.
Until this is fixed you won't be able to install any Gems built with hoe-1.1.7.This is obviously the work of someone extending rubygems to have developer dependencies. Regardless of intent: you had NO RIGHT to upload ANYTHING to the gem repository under someone else's name or project. NONE. EVER. To say that I'm unhappy about this (and you) is a vast f@cking understatement.
Is the implication here that someone on seattle.rb uploaded a new gem, or that someone hacked Rubyforge to do it, or what?
You can upload a gem of any name to any rubyforge project including gems with name collisions. It appears that somebody uploaded a modified copy of hoe then deleted it shortly afterward.
Only the gem index has been poisoned, it seems that the bad hoe didn't get mirrored.
The poisoning indicates it was done by somebody attempting to add developer dependencies to RubyGems.
Just wondering, since if it's the latter others may need to check their gems too,
While this upsets me to no end, I'll pin it on incompetence and/or idoicy.
Whoever did this ignored a perfectly good set of unit tests, testing tools, and the gem_server command itself to test out what they were doing.
and Tom Copeland should probably hear about it.
He's been notified, but he's asleep.
On Jan 14, 2007, at 03:20, Ross Bamford wrote:
On Sun, 14 Jan 2007 08:44:25 -0000, Ryan Davis <ryand- > ruby@zenspider.com> wrote:
On Jan 14, 2007, at 12:30 AM, Eric Hodel wrote:
--
Eric Hodel - drbrain@segment7.net - http://blog.segment7.net
YOU LIT MY GEM ON FIRE!
I think if security is an issue, you should not download directly from
RubyForge via gems, but set up an audited gem server locally. (Or
download the files and gem install them locally)
Of course, this does not mean that such a problem isn't seriously disruptive.
On 1/14/07, SonOfLilit <sonoflilit@gmail.com> wrote:
So if I have a RubyForge account I can upload a modified gem, of, say,
Rails, with a backdoor, and unknowing ruby users will accidentally install
it and open a backdoor in production rails servers?
We built various checks into the gem index builder on RubyForge
to prevent overlapping gems from being deployed. Perhaps there are
holes in these checks, and if so, we'll fix them.
Yours,
Tom
On Mon, 2007-01-15 at 00:56 +0900, SonOfLilit wrote:
So if I have a RubyForge account I can upload a modified gem, of, say,
Rails, with a backdoor, and unknowing ruby users will accidentally install
it and open a backdoor in production rails servers?
yep, Turns out that ruport-lean was getting installed over ruport due
to that "*" rule a while back, so I've made the mistake too.
I've come to the point where any time I want to do something clever,
I've set up test environments both via gem_server and via static file
hosting like RubyForge does.
This way, if something goes wrong, it only effects me. When I get
around to it, I'll write a simple tutorial of how to set up your own
testing environment for this, and maybe talk a little bit to Tom about
getting the environment as close to RubyForge as possible.
On 1/14/07, Ola Bini <ola.bini@ki.se> wrote:
Just as an aside, you're not the first to do mistakes like this...
I broke Ruby 1.8.3. So don't feel too bad!!
_why
On Mon, Jan 15, 2007 at 03:38:40AM +0900, Ola Bini wrote:
Chris Carter wrote:
>I want to apologize to the group on this one. It was cause my my
>utter incomptence, and I know I really screwed up here [...]Just as an aside, you're not the first to do mistakes like this...
Sometime in September I uploaded a gem to RubyForge that was generated
with JRuby [...]
Ryan's and Eric's, yes. They immediately assumed the worst and it's now clear that was overreacting. It was an honest mistake.
James Edward Gray II
On Jan 14, 2007, at 12:38 PM, Ola Bini wrote:
I would like to add that I find Ryans words quite harsh in the context. We all make mistakes.
I agree with the sentiments and it's nice for folks to address this,
but let's not build a reactions thread here. Ryan and Eric's
rudeness speaks only of Ryan and Eric, and not of the folks who they
are rude too. I do hope most of the folks on the list realize they
only represent two of many Rubyists in the world who still think
MINASWAN is a good idea.
So, I'm just saying, let's not spend time justifying for them each
time some harsh words are said.
On 1/14/07, John Wilger <johnwilger@gmail.com> wrote:
Chris,
Your public apology and offer to help in fixing any problems it caused
shows a lot of professionalism on your part. Everyone makes mistakes;
most people wouldn't voluntarily own up to them in front of the whole
community. You have my respect.
I agree with John, your honesty and integrity should be noted. Don't pay
attention the squawks, they were just scared people, and some people talk
with a bullhorn for no other reason other than because they own one.
Mike
On 1/14/07, John Wilger <johnwilger@gmail.com> wrote:
On Jan 14, 7:42 am, "Chris Carter" <cdcar...@gmail.com> wrote:
> I want to apologize to the group on this one. It was cause my my
> utter incomptence, and I know I really screwed up here
<snip>
> I am very sorry, and hope that it gets resolved
> soon, so people are no longer inconvenienced. If I can do anything to
> help this mess, please contact me. I am sorry to you Eric, and to
> this community.Chris,
Your public apology and offer to help in fixing any problems it caused
shows a lot of professionalism on your part. Everyone makes mistakes;
most people wouldn't voluntarily own up to them in front of the whole
community. You have my respect.--
Regards,John Wilger
http://johnwilger.com
--
-mike
So if I have a RubyForge account I can upload a modified gem, of, say,
Rails, with a backdoor, and unknowing ruby users will accidentally install
it and open a backdoor in production rails servers?This sounds bad. VERY bad.
It is very bad. This is the exact problem the package signing in
RubyGems was written to address.
If only people were using it...
* SonOfLilit (sonoflilit@gmail.com) wrote:
SonOfLilit
--
Paul Duncan <pabs@pablotron.org> pabs in #ruby-lang (OPN IRC)
http://www.pablotron.org/ OpenPGP Key ID: 0x82C29562