[DRE-maint] Bug#448639: rubygems and FHS compliance in Debian and Ubuntu
daigo at debian.org
Sat Aug 28 02:21:46 UTC 2010
Clint Byrum wrote:
> In the upstream default install of rubygems, the default location for
> these binaries and rubygems library files is /usr/bin, and /usr/lib
> respectively. This places the binaries in the default shell path for most
> FHS systems, so that users can have an experience something like this:
> $ sudo gem install rails [... gem downloads and installs rails ... ]
> $ rails my-facebook-killer-app/ [... A skeleton of a rails app is
> created ... ... I Start hacking on my-facebook-killer-app ...]
My opinion is opposite. I'd like to require users a manual intervention to
execute binaries from gems due to security concern. Users might think that gem
install something is very similar to apt-get install something. However,
Rubygems' security culture differs from Debian's. Signed gems are not popular.
Imagine that a gem (located in a server or through network) is attacked to
include a malicious executable named 'ls', which then installs in your
In addition, I'd like to make room in /usr/local/bin for local installations,
such as setup.rb, make && make install etc... I think that I have made success
in this point since nobody has ever claimed that /var/lib/gems is in his/her way.
> However, this introduced an incompatibility with the FHS definition of
> the purpose of /var.
I agree with the primary purpose of /var that you mentioned. But I can not find
any better place to install gems files with two points above satisfied.
daigo at debian dot org
More information about the Pkg-ruby-extras-maintainers