please remove the active_support gem
https://rubygems.org/gems/active_support is a metagem that is meant for people who mistype the activesupport gem.
There are a few problems with this gem:
- The gem isn't maintained so it points to an ancient version of activesupport 3.0.0
- The gem could contain evil code and users could run this code without realizing it
- The gem has almost 120k downloads
For security reason and for better user experience I would recommend to remove this gem. I would also suggest to setup some sort of redirect or message when users try to install the gem with the typo in it (I do realize it probably would mean opening a can of worms, but AS is one of Ruby's most popular gems so maybe it can be treated as an exception).
Thanks,
- Matt
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
| ? | Show this help |
|---|---|
| ESC | Blurs the current field |
Comment Form
| r | Focus the comment reply box |
|---|---|
| ^ + ↩ | Submit the comment |
You can use Command ⌘ instead of Control ^ on Mac
Support Staff 1 Posted by Eric Hodel on 07 Feb, 2013 04:41 AM
I've added mkristian who pushed this gem to this discussion.
We have not yanked a gem for these reasons before so I don't want to discuss this properly.
Modern RubyGems suggests other names when you typo so we don't need to worry about redirects for
gem install.Since we now have typo suggestions in RubyGems I think the reasons for releasing this gem are no longer valid.
I'm concerned that active_support is confusingly similar to activesupport. It infringes on the real gem's namespace.
I'm concerned that the gem is unmaintained. I don't think a maintained version is particularly better, especially when the real gem is very popular (near 20 million downloads, near 800k for its current version) and a security release in activesupport could cause users to be out of date, even if only by a few critical hours.
I think this gem should be removed.
2 Posted by Matt Aimonetti on 07 Feb, 2013 05:24 AM
Someone pointed out that GitHub is full of projects, probably mistakenly referencing this gem: https://github.com/search?p=3&q=gem+%27active_support%27&re...
21,418 code references as of right now and with some really recent commits
3 Posted by me on 07 Feb, 2013 11:15 AM
Just thought I'd jump in and point out that http://rubygems.org/gems/bundle is very similar in goal.
4 Posted by kristian on 07 Feb, 2013 12:31 PM
since my reply over the webgui did not reach: the reason for me to add
that "redirect" gem was that
https://rubygems.org/gems/rails_config/versions/0.1.0 depends on it.
for maven to install rails_config without explicit version works only
if the dependencies can be resolved.
by now there is a way to mark gems as broken for the
https://github.com/torquebox/jruby-maven-plugins/tree/master/gem-proxy
or https://github.com/sonatype/nexus-ruby-support so from my side to
yank active_support is no problem. actually I will do it unless there
are some objections here in this discussion.
5 Posted by Matt Aimonetti on 07 Feb, 2013 05:04 PM
Kristian, thanks for the quick response.
My guess is that in most cases, the authors would agree to remove the gem since we now have typo suggestions. However, should we black list some gem names so potential attackers wouldn't use common typos to potentially make users' machines vulnerable?
6 Posted by Christian Meier on 17 Aug, 2015 08:41 PM
the gem got yanked a while ago: https://rubygems.org/gems/active_support <https://rubygems.org/gems/active_support>
not sure what else I can do to improve the situation.
Support Staff 7 Posted by Nick Quaranto on 18 Aug, 2015 02:08 PM
We're working on a set of policies that hopefully will deal with "typo" gems that sound like or are close to the real gem names. More on that soon at the rubygems mailing lists/blog. Marking this one as closed for now.
Nick Quaranto closed this discussion on 18 Aug, 2015 02:08 PM.