pjhyett / github-gem-builder
- Source
- Commits
- Network (3)
- Issues (0)
- Downloads (0)
- Wiki (1)
- Graphs
-
Branch:
master
The scripts used to build RubyGems on GitHub
commit d170057eca4622d25d3bde81d891ef3f3a2cf060
tree 0169265c782e00784b580870eb6f09c972c4cc3b
parent ca3643d3d26ec0cb1b5f23ee9febea485c94e288
tree 0169265c782e00784b580870eb6f09c972c4cc3b
parent ca3643d3d26ec0cb1b5f23ee9febea485c94e288
| name | age | message | |
|---|---|---|---|
 |
README | Loading commit data...  |
|
| |
gem_builder.rb | ||
| |
gem_eval.rb | ||
| |
gem_eval_test.rb | ||
| |
git_mock | ||
| |
lazy_dir.rb | ||
| |
lazy_dir_test.rb | ||
| |
security.rb | ||
| |
security_test.rb |
README
GitHub's Gem Evaler ------------------- Help make GitHub's gem build process more secure and robust! There are two components associated with this: * gem_builder.rb - Script that builds the gem * gem_eval.rb - Sandboxed Sinatra app that evals ruby gemspecs gem_builder.rb works as follows: 1) process() is called with a repository object and the path to the gemspec 2) If the spec is not in YAML, a request is made to the gem evaler (see below how it works) 3) A Gem::Specification object is created from the YAML gemspec and renamed with the user's login 4) The gem is built from the Gem::Specification using a monkey-patched version of RubyGems, so instead of grabbing the files from the filesystem, they're grabbed from the git repo gem_eval.rb works as follows: 1) Receives a request with the repo location and the ruby gemspec 2) Makes a shallow clone of the repo and chdir's to that repo 3) Evals the spec in a separate thread with a higher $SAFE level 4) Converts spec to YAML Goals ----- * Lower the $SAFE level to allow methods like Dir.glob, but without compromising security. * Never get another email from someone wondering why their gem didn't build
