On Jan 14, 2007, at 03:20, Ross B. wrote:
This is obviously the work of someone extending rubygems to have
developer dependencies. Regardless of intent: you had NO RIGHT to
upload ANYTHING to the gem repository under someone else’s name or
project. NONE. EVER. To say that I’m unhappy about this (and you)
is a vast [email protected] understatement.
Is the implication here that someone on seattle.rb uploaded a new
gem, or that someone hacked Rubyforge to do it, or what?
You can upload a gem of any name to any rubyforge project including
gems with name collisions. It appears that somebody uploaded a
modified copy of hoe then deleted it shortly afterward.
Only the gem index has been poisoned, it seems that the bad hoe
didn’t get mirrored.
The poisoning indicates it was done by somebody attempting to add
developer dependencies to RubyGems.
Just wondering, since if it’s the latter others may need to check
their gems too,
While this upsets me to no end, I’ll pin it on incompetence and/or
Whoever did this ignored a perfectly good set of unit tests, testing
tools, and the gem_server command itself to test out what they were
and Tom C. should probably hear about it.
He’s been notified, but he’s asleep.
Eric H. - [email protected] - http://blog.segment7.net
YOU LIT MY GEM ON FIRE!