Add per-gem flag to stop linking to .gem files #3883
Labels
Comments
|
I can implement this @indirect if welcomed, but it would be fair to make it transparent to users visiting that page and I would like to propose this only as a temporary solution for now, not accepting the fact that foreign party can control what content is safe and could be linked on rubygems.org. In theory, anyone can push a gem with metadata linking to any of those gem paths and create "harmful" page today. |
|
Yes, I think that's fine. Ultimately, we would like to be able to convince the Safe Browsing team to stop marking security research as malware. |
|
Seems reasonable. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem?
Yes. As described at length in rapid7/metasploit-payloads#650, the metasploit-payloads gem has been flagged by the Google Safe Browsing team as malware. This causes some automated tools to list rubygems.org as "may contain malware", and inserts a giant red banner in Chrome, Safari, and Firefox on the pages that link to any .gem downloads. The exact list of blocked/warned pages is copied below.
Describe the solution you'd like
I propose that we add a per-gem flag to remove the link tags to download each .gem file. This should not disrupt any actual users, who are installing the gems via
gem installorbundle install, but it will (hopefully) remove the giant red interstitial warnings. It will not, sadly, clear the "may contain malware" flag on rubygems.org, because we would continue to host the actual .gem files even if we aren't linking to them anymore.Describe alternatives you've considered
Additional context
According to the Google Search Console, the current list of supposed "malware" files is:
The list of pages that are being flagged for linking to the above files are:
The text was updated successfully, but these errors were encountered: