oneclick / rubyinstaller.org-website Goto Github PK

Hi,

I did below mentioned steps to verify rubyinstaller-devkit-3.0.2-1-x64.exe file.
OS: Windows 10

Import signing key

gpg --import ci.ri2-package-signing-key.asc
gpg: key 30B77F3A: "ci.ri2 package signing key" not changed
gpg: Total number processed: 1
gpg: unchanged: 1

Verify Downloaded File

gpg --verify rubyinstaller-devkit-3.0.2-1-x64.exe.asc
gpg: assuming signed data in 'rubyinstaller-devkit-3.0.2-1-x64.exe'
gpg: Signature made 07/10/21 01:46:32 Standard Time using RSA key ID AAE32BA7
gpg: Can't check signature: No public key

I downloaded signing key from https://rubyinstaller.org/ci.ri2-package-signing-key.asc.
So far I was not able to verify the download.
Is the signing key updated for new versions of Rubyinstaller?

Thank You,
Chamal.

Noticed that the home page doesn't really recommend a version to install.

Assuming that:

1. Most extension gems are now testing with 2.5 (and many with trunk).
2. For the first time, most of 2.5 was in development with full testing (test-all & test-spec) on 64 bit builds. Not the case with 2.4.

Might it be helpful for users to know that the recommendation is to use 2.5.x-x64 unless one has a particular need? I'm not that familiar with the layout or Jekyll, but I'd be happy to try...

Greg

^
#18 (comment)
@larskanis

You still didn't sign off the commit.

FYI, bought rubyinstaller2.org domain and setup to permanently redirect to existing domain. That is done as page rules in Cloudflare.

Thought was worth mentioning in case seeing some weird referrals in the analytics.

Cheers.

PS: @larskanis, thank you for your hard work maintaining RubyInstaller2 ❤️ ❤️ ❤️

The "Convenience" section of the download page is missing half a sentence.

If you want to use...

The "boxes" do not have a tooltip either.. so the intent is not discernible visually nor by hovering on the link nor by checking the source-code..

Guys professionally translated original website to russian: https://github.com/installero/rubyinstaller.ru

Could you please encourage their effort and make some users life better by writing a news post and adding the link to rubyinstaller.ru website somewhere in the footer?

Thanks

Hello, I am a contributor to the Ruffle project, and while remediating a compromise of an unused subdomain of our website, we found that your project's website had been compromised by the same threat actor. Below I will explain the details of the issue and how you can resolve it.

A subdomain of your project website has been compromised and is displaying a spam advertisement for an Indonesian gambling service. The compromised URL is "direct.rubyinstaller.org". The attack was possible because these three conditions were met:

1. You have a DNS entry for the domain "direct.rubyinstaller.org" pointing to GitHub Pages.
2. You do not have a GitHub Pages repository with a CNAME file pointing to that domain.
3. You do not have verification set up for GitHub Pages: https://docs.github.com/en/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages

Because your domain's DNS entry points to GitHub Pages, but you do not have verification set up, an attacker was able to claim your custom domain by simply creating a GitHub Pages repository and adding a CNAME file within it pointing to your domain. The GitHub Docs page I linked above explains it this way:

When you verify your custom domain for your personal account or organization, only repositories owned by your personal account or organization may be used to publish a GitHub Pages site to the verified custom domain or the domain's immediate subdomains.

Verifying your domain stops other GitHub users from taking over your custom domain and using it to publish their own GitHub Pages site. Domain takeovers can happen when you delete your repository, when your billing plan is downgraded, or after any other change which unlinks the custom domain or disables GitHub Pages while the domain remains configured for GitHub Pages and is not verified.

So there are two steps you should take immediately:

1. Remove the DNS entries for any unused subdomains of your website pointing to GitHub Pages, including the DNS entry for "direct.rubyinstaller.org".
2. Set up verification for GitHub Pages by following the instructions in the GitHub Docs page I linked above. Here is the link again: https://docs.github.com/en/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages

Once again, I found this issue with your site because we at the Ruffle project were facing the exact same compromise, and were able to take the steps above to resolve it. Let me know if I can be of any further assistance!