About RubyInstaller security releases
331 views
Skip to first unread message
Luis Lavena
Nov 23, 2013, 2:39:10 PM11/23/13
to rubyin...@googlegroups.com
Hello,
Yesterday (Nov 22), Ruby development team (Ruby Core) released a bugfix version
of both Ruby 1.9.3 and 2.0.0 that correct a reported vulnerability.
You can read the release notes of these new releases and also the specific
notes about the security exploit:
* CVE-2013-4164: https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/
As usual, RubyInstaller team is building and testing this new release to provide
you updated binaries to be used in your development, production or integration
environments.
These binaries will be released soon and announced, as usual, on our group and
website.
But due a small issue with our code signing certificates, these installers
will not be digitally signed.
As you know, since 2010, our installers (.exe) have been digitally signed by
me to ensure no tampering has been done to the executables.
This has been my commitment to the project to ensure you, the company you work
for or your customers that we care about the integrity of this product.
As done every time, a new code signing order was put on Comodo, ID documents
have been provided and the wait process to receive the certificate started.
To my surprise, a new certificate requirement was added: Reliable Method of
Communication.
As outlined in CABF Baseline requirements:
This requirement allow the Certificate Issuer to use different ways to
determine a reliable way to communicate with the Applicant Representative (me).
Comodo forces to be phone validation, which in my particular case, cannot
comply, as my phone number is unlisted here in Argentina and not showing in
the supported websites.
I've attempted to figure out solutions to this situation and discuss with
Comodo, but they have their process and requirements that cannot be ignored.
It is sad there is no easy way for Open-Source developers to provide their
tools to others with a certain level of trust and integrity more than just
a checksum.
It is also sad there are no Certificate Issuer companies offering code signing
certificates to Open-Source developers.
I'm still looking for workarounds to this situation, but in the meantime, you
will have to *trust me* (or at least, verify the MD5 signature of the file
you just download).
Will send a follow up shortly.
Thank you for your time.
--
Luis LavenaAREA 17
-
Perfection in design is achieved not when there is nothing more to add,
but rather when there is nothing more to take away.
Antoine de Saint-Exupéry
Richard Campbell
Dec 1, 2014, 11:25:40 AM12/1/14
to rubyin...@googlegroups.com
Would using a google voice number help? (voice.google.com).
Luis Lavena
Dec 1, 2014, 11:51:00 AM12/1/14
to rubyin...@googlegroups.com
On Mon, Dec 1, 2014 at 1:25 PM, Richard Campbell <rich.c...@wirecare.com> wrote:
Would using a google voice number help? (voice.google.com).
No, as the requirement mentions the Phone number needs to be listed under my name and be part of the same country.
Reliable Method of Communication: A method of communication, such as a postal/courier delivery address,
telephone number, or email address, that was verified using a source other than the Applicant Representative.
Since I'm based in Argentina, the phone number needs to be provided by the official listing of phone numbers of Argentina.
Google Voice is US-based, which will not match my provided documentation.
Is a shame that no CA provides an easy way for Open-Source developers to obtain a code signing key without this complicated process.
Cheers,
--
Dušan D. Majkić
Dec 1, 2014, 4:40:57 PM12/1/14
to rubyin...@googlegroups.com
> Is a shame that no CA provides an easy way for Open-Source developers to
> obtain a code signing key without this complicated process.
Could this be of some use?
> obtain a code signing key without this complicated process.
http://www.certum.eu/certum/cert,offer_en_open_source_cs.xml
They require some form of ID sent by email/fax and valid site.
Regards.
Luis Lavena
Dec 1, 2014, 4:42:08 PM12/1/14
to rubyin...@googlegroups.com
I've already tried submitting the form, never got a response to continue with the process.
--
Reply all
Reply to author
Forward
0 new messages