* [ruby-core:93257] [Ruby trunk Feature#15942] gem: Warn on known vulnerable packages
[not found] <redmine.issue-15942.20190619184405@ruby-lang.org>
@ 2019-06-19 18:44 ` andrew.pennebaker
2019-06-19 21:23 ` [ruby-core:93263] " shevegen
2019-06-20 4:32 ` [ruby-core:93268] " duerst
2 siblings, 0 replies; 3+ messages in thread
From: andrew.pennebaker @ 2019-06-19 18:44 UTC (permalink / raw
To: ruby-core
Issue #15942 has been reported by mcandre (Andrew Pennebaker).
----------------------------------------
Feature #15942: gem: Warn on known vulnerable packages
https://bugs.ruby-lang.org/issues/15942
* Author: mcandre (Andrew Pennebaker)
* Status: Open
* Priority: Normal
* Assignee:
* Target version:
----------------------------------------
In comparison to RubyGems, NPM offers builtin warnings when users attempt to install packages with known vulnerabilities. This helps developers to more quickly react to security concerns, updating or replacing their dependencies.
CI automation systems such as in GitHub, now implement alerts for vulnerabilities in Ruby projects. Now that we know this is technically possible, let's move the warnings directly into gem, so that regardless of where code is pushed, and before code is pushed, devs get a clear warning when they reference vulnerable RubyGems packages.
--
https://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 3+ messages in thread
* [ruby-core:93263] [Ruby trunk Feature#15942] gem: Warn on known vulnerable packages
[not found] <redmine.issue-15942.20190619184405@ruby-lang.org>
2019-06-19 18:44 ` [ruby-core:93257] [Ruby trunk Feature#15942] gem: Warn on known vulnerable packages andrew.pennebaker
@ 2019-06-19 21:23 ` shevegen
2019-06-20 4:32 ` [ruby-core:93268] " duerst
2 siblings, 0 replies; 3+ messages in thread
From: shevegen @ 2019-06-19 21:23 UTC (permalink / raw
To: ruby-core
Issue #15942 has been updated by shevegen (Robert A. Heiler).
I think this may be better to raise at https://github.com/rubygems/rubygems - while some
ruby core members contribute to the code of gems, it still seems to fit better to the
github site of rubygems.
To the feature/functionality in itself - I am not sure if gem as-is provides sufficient
information for this to support it. Is there any project tracking other projects with
vulnerabilities? Nothing wrong with having, as an OPTION (thus, can be toggled), the
ability to set this feature; I am not sure if this is easily available right now for
gems. Either way, I think it should be at the gem issue tracker instead.
(Reason I write that it should be optional is primarily because not everyone may want
to have the behaviour changed; so with an option that can be toggled, ruby developers
can decide on their own here.)
----------------------------------------
Feature #15942: gem: Warn on known vulnerable packages
https://bugs.ruby-lang.org/issues/15942#change-78723
* Author: mcandre (Andrew Pennebaker)
* Status: Open
* Priority: Normal
* Assignee:
* Target version:
----------------------------------------
In comparison to RubyGems, NPM offers builtin warnings when users attempt to install packages with known vulnerabilities. This helps developers to more quickly react to security concerns, updating or replacing their dependencies.
CI automation systems such as in GitHub, now implement alerts for vulnerabilities in Ruby projects. Now that we know this is technically possible, let's move the warnings directly into gem, so that regardless of where code is pushed, and before code is pushed, devs get a clear warning when they reference vulnerable RubyGems packages.
--
https://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 3+ messages in thread
* [ruby-core:93268] [Ruby trunk Feature#15942] gem: Warn on known vulnerable packages
[not found] <redmine.issue-15942.20190619184405@ruby-lang.org>
2019-06-19 18:44 ` [ruby-core:93257] [Ruby trunk Feature#15942] gem: Warn on known vulnerable packages andrew.pennebaker
2019-06-19 21:23 ` [ruby-core:93263] " shevegen
@ 2019-06-20 4:32 ` duerst
2 siblings, 0 replies; 3+ messages in thread
From: duerst @ 2019-06-20 4:32 UTC (permalink / raw
To: ruby-core
Issue #15942 has been updated by duerst (Martin Dürst).
Status changed from Open to Third Party's Issue
What @shevegen says: raise it at https://github.com/rubygems/rubygems, please.
----------------------------------------
Feature #15942: gem: Warn on known vulnerable packages
https://bugs.ruby-lang.org/issues/15942#change-78726
* Author: mcandre (Andrew Pennebaker)
* Status: Third Party's Issue
* Priority: Normal
* Assignee:
* Target version:
----------------------------------------
In comparison to RubyGems, NPM offers builtin warnings when users attempt to install packages with known vulnerabilities. This helps developers to more quickly react to security concerns, updating or replacing their dependencies.
CI automation systems such as in GitHub, now implement alerts for vulnerabilities in Ruby projects. Now that we know this is technically possible, let's move the warnings directly into gem, so that regardless of where code is pushed, and before code is pushed, devs get a clear warning when they reference vulnerable RubyGems packages.
--
https://bugs.ruby-lang.org/
Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-06-20 4:32 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <redmine.issue-15942.20190619184405@ruby-lang.org>
2019-06-19 18:44 ` [ruby-core:93257] [Ruby trunk Feature#15942] gem: Warn on known vulnerable packages andrew.pennebaker
2019-06-19 21:23 ` [ruby-core:93263] " shevegen
2019-06-20 4:32 ` [ruby-core:93268] " duerst
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).