Automatically trust rvmrc in release path when deploying with capistrano about rvm HOT 9 CLOSED

Requires discussion with Darcy.

from rvm.

+1 to have some way of dealing with this automatically.

I am using capistrano and currently I have a custom task for this in my config/deploy.rb:

namespace :rvm do
  task :trust_rvmrc do
    run "rvm rvmrc trust #{release_path}"
  end
end

I use an after hook in my main deploy task to run the task above on each deployment:

after "deploy", "rvm:trust_rvmrc"  

Maybe the fix is as simple as defining something in rvm/capistrano that can be called to turn automatic trust on and off?

from rvm.

+1 I had to add this to get an update working

from rvm.

Anybody know if this issue was addressed? It was closed without any comments...

from rvm.

The problem with implicitly trusting the file, instead of creating trust for it's fingerprint at the time of deployment is that any subsequent changes will be trusted if a malicious user changes the file.

I would say that @bowsersenior's solution to trust the file as it's deployed is correct.

from rvm.

@richoH : I didn't consider the security implications you brought up. That is an important issue to be aware of.

from rvm.

No problem.

Another approach (potentially wiht it's own compatility concerns) would be to calculate the fingerprint of the rvmrc at the development end and include a task to update the trust on the deployment server.

This would mitigate any chance of the race condition where

1 You deploy your whole project, including the rvmrc

Attacker traps this condition and injects his own code into the rvmrc
2 You call rvmrc trust, and trust the now malicious rc file.

from rvm.

bowsersenior this has been added to the capistrano integration page on RVM's homesite. It will show as soon as wayne redeploys the update. Thank you for this!

from rvm.

Cool, thanks for the update!

from rvm.