please remove the active_support gem

Matt Aimonetti's Avatar

Matt Aimonetti

07 Feb, 2013 04:31 AM

https://rubygems.org/gems/active_support is a metagem that is meant for people who mistype the activesupport gem.

There are a few problems with this gem:

  • The gem isn't maintained so it points to an ancient version of activesupport 3.0.0
  • The gem could contain evil code and users could run this code without realizing it
  • The gem has almost 120k downloads

For security reason and for better user experience I would recommend to remove this gem. I would also suggest to setup some sort of redirect or message when users try to install the gem with the typo in it (I do realize it probably would mean opening a can of worms, but AS is one of Ruby's most popular gems so maybe it can be treated as an exception).

Thanks,

  • Matt
  1. Support Staff 2 Posted by Eric Hodel on 07 Feb, 2013 04:41 AM

    Eric Hodel's Avatar

    I've added mkristian who pushed this gem to this discussion.

    We have not yanked a gem for these reasons before so I don't want to discuss this properly.

    Modern RubyGems suggests other names when you typo so we don't need to worry about redirects for gem install.

    Since we now have typo suggestions in RubyGems I think the reasons for releasing this gem are no longer valid.

    I'm concerned that active_support is confusingly similar to activesupport. It infringes on the real gem's namespace.

    I'm concerned that the gem is unmaintained. I don't think a maintained version is particularly better, especially when the real gem is very popular (near 20 million downloads, near 800k for its current version) and a security release in activesupport could cause users to be out of date, even if only by a few critical hours.

    I think this gem should be removed.

  2. 3 Posted by me on 07 Feb, 2013 11:15 AM

    me's Avatar

    Just thought I'd jump in and point out that http://rubygems.org/gems/bundle is very similar in goal.

  3. 4 Posted by kristian on 07 Feb, 2013 12:31 PM

    kristian's Avatar

    since my reply over the webgui did not reach: the reason for me to add
    that "redirect" gem was that
    https://rubygems.org/gems/rails_config/versions/0.1.0 depends on it.
    for maven to install rails_config without explicit version works only
    if the dependencies can be resolved.

    by now there is a way to mark gems as broken for the
    https://github.com/torquebox/jruby-maven-plugins/tree/master/gem-proxy
    or https://github.com/sonatype/nexus-ruby-support so from my side to
    yank active_support is no problem. actually I will do it unless there
    are some objections here in this discussion.

  4. 5 Posted by Matt Aimonetti on 07 Feb, 2013 05:04 PM

    Matt Aimonetti's Avatar

    Kristian, thanks for the quick response.

    My guess is that in most cases, the authors would agree to remove the gem since we now have typo suggestions. However, should we black list some gem names so potential attackers wouldn't use common typos to potentially make users' machines vulnerable?

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac