On 27.01.2010 14:43, Brian C. wrote:
If you “apt-get install libsqlite3-ruby”, then you get Ubuntu’s package
containing the ruby library which talks to the C library (libsqlite3-0).
The C library is automatically installed as a dependency. This is not a
gem; the code is installed under ruby’s site library directory.
While not the gem per se, it is the same code used as if you would do a
sudo gem install sqlite3-ruby
The advantage of the gem approach is you can easily update it if a new
version of the sqlite3-ruby gem is released. Ubuntu won’t update their
package unless there’s a security issue, or until you move to the next
version of Ubuntu.
The disadvantage of the gem approach is security:
For one, RubyGems pretty much requires root access to some directories,
for another, it makes no distinction between compile- and install-time,
so the compiler runs as root, allowing me to potentially exploit a
vulnerability in the compiler to get a backdoor installed.
Or just do a “rm -rf /”, if I were unimaginative.
RubyGems will happily overwrite anything in /usr/bin/, so I can include
a /usr/bin/less file that grants me root access:
And yes, the issue is known:
And unless you check certificates (against what? Is there a default
keystore, like a “rubyist-keyring”?), you cannot verify the integrity of
So, trading convenience against security. Be aware of the risks that
carries with it.
Oddly this is less of an issue on Windows, since Ruby is self-contained
there, and happily so, and wreaking a Windows isntall is exceptionally
difficult by now.