You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Yes. As described at length in rapid7/metasploit-payloads#650, the metasploit-payloads gem has been flagged by the Google Safe Browsing team as malware. This causes some automated tools to list rubygems.org as "may contain malware", and inserts a giant red banner in Chrome, Safari, and Firefox on the pages that link to any .gem downloads. The exact list of blocked/warned pages is copied below.
Describe the solution you'd like
I propose that we add a per-gem flag to remove the link tags to download each .gem file. This should not disrupt any actual users, who are installing the gems via gem install or bundle install, but it will (hopefully) remove the giant red interstitial warnings. It will not, sadly, clear the "may contain malware" flag on rubygems.org, because we would continue to host the actual .gem files even if we aren't linking to them anymore.
Describe alternatives you've considered
We could do nothing. It's probably fine to do nothing, although it would continue to show (inaccurate) malware warnings in major browsers when you visit any HTML pages about the metasploit-payloads gem.
We could remove the metasploit-payloads gem from rubygems.org. This seems unfair to Rapid7 and the security research community, as well as factually inaccurate--the gem contains code for security research purposes that you could use to harm a computer, but it will not itself harm your computer to download and unpack it, so it is not malware.
Additional context
According to the Google Search Console, the current list of supposed "malware" files is:
I can implement this @indirect if welcomed, but it would be fair to make it transparent to users visiting that page and I would like to propose this only as a temporary solution for now, not accepting the fact that foreign party can control what content is safe and could be linked on rubygems.org. In theory, anyone can push a gem with metadata linking to any of those gem paths and create "harmful" page today.
Is your feature request related to a problem?
Yes. As described at length in rapid7/metasploit-payloads#650, the metasploit-payloads gem has been flagged by the Google Safe Browsing team as malware. This causes some automated tools to list rubygems.org as "may contain malware", and inserts a giant red banner in Chrome, Safari, and Firefox on the pages that link to any .gem downloads. The exact list of blocked/warned pages is copied below.
Describe the solution you'd like
I propose that we add a per-gem flag to remove the link tags to download each .gem file. This should not disrupt any actual users, who are installing the gems via
gem install
orbundle install
, but it will (hopefully) remove the giant red interstitial warnings. It will not, sadly, clear the "may contain malware" flag on rubygems.org, because we would continue to host the actual .gem files even if we aren't linking to them anymore.Describe alternatives you've considered
Additional context
According to the Google Search Console, the current list of supposed "malware" files is:
The list of pages that are being flagged for linking to the above files are:
The text was updated successfully, but these errors were encountered: