1. 2

  2. 1

    I wish they went into detail about how the vulnerability worked. I took a look at the commit they linked to but I didn’t have enough context to understand how that would allow gems to be overwritten by an attacker.

    1. 1

      I wonder if you could more easily verify past gems with something like:

      1. git checkout <tag>
      2. gem build
      3. compare checksum from step 2 with checksum or corresponding rubygems download

      Will that work or would a version difference in the local version of rubygems used to build the gem cause checksum differences?