

Nobody Cares About Signed Gems - FooBarWidget
http://www.rubygems-openpgp-ca.org/blog/nobody-cares-about-signed-gems.html

======
brohee
Not surprised at all. The Ruby community is not very security conscious.

For example RVM install instruction used to be

    
    
      curl -L get.rvm.io | bash -s stable
    

(see
[https://web.archive.org/web/20120420030416/https://rvm.io//](https://web.archive.org/web/20120420030416/https://rvm.io//)
for proof), which is a recipe to get owned should anyone MITM you, poison your
DNS, or rvm.io being taken control off).

At least RVM install instruction go changed to the safer (but still pretty
vulnerable to an rvm.io compromission)

    
    
      \curl -sSL https://get.rvm.io | bash
    

But that the completely unchecked version lived for so long without anyone
caring too much shows that the Ruby community doesn't care much...

