[DRE-maint] Bug#448639: rubygems and FHS compliance in Debian and Ubuntu

[Daigo Moriwaki]

Clint,

Clint Byrum wrote:
> In the upstream default install of rubygems, the default location for
> these binaries and rubygems library files is /usr/bin, and /usr/lib
> respectively. This places the binaries in the default shell path for most
> FHS systems, so that users can have an experience something like this:
> 
> $ sudo gem install rails [... gem downloads and installs rails ... ]
> $ rails my-facebook-killer-app/ [... A skeleton of a rails app is
> created ...  ... I Start hacking on my-facebook-killer-app ...]

My opinion is opposite. I'd like to require users a manual intervention to
execute binaries from gems due to security concern. Users might think that gem
install something is very similar to apt-get install something. However,
Rubygems' security culture differs from Debian's. Signed gems are not popular.
Imagine that a gem (located in a server or through network) is attacked to
include a malicious executable named 'ls', which then installs in your
/usr/local/bin.

In addition, I'd like to make room in /usr/local/bin for local installations,
such as setup.rb, make && make install etc... I think that I have made success
in this point since nobody has ever claimed that /var/lib/gems is in his/her way.


> However, this introduced an incompatibility with the FHS definition of
> the purpose of /var[1].

I agree with the primary purpose of /var that you mentioned. But I can not find
any better place to install gems files with two points above satisfied.

Regards,
Daigo

-- 
Daigo Moriwaki
daigo at debian dot org