rubyinstaller2 icon indicating copy to clipboard operation
rubyinstaller2 copied to clipboard
verified publisher icon oneclick

Ruby installer contacting email addresses

Open jeroenbuse opened this issue 3 years ago • 12 comments

While using the ruby installer for windows, during bthe install the installer tried to contact several email addresses that I do not know. Why is that? From whom are these email addresses?

jeroenbuse avatar May 21 '22 08:05 jeroenbuse

That's odd - could you share more details, screenshot, info? Which rubyinstaller version did you use and where did you get it?

mohits avatar May 21 '22 09:05 mohits

@jeroenbuse

pacman-key (gpg) will often show key operations, including updating/retrieving keys, which show email addresses. Is that what you saw in your console? IOW, it's not 'contacting' email addresses?

MSP-Greg avatar May 21 '22 14:05 MSP-Greg

That is likely it... and can feel suspicious to the suspecting! Let's hope that's the only thing.

mohits avatar May 21 '22 14:05 mohits

Some background. 'gpg' is a signing/encryption system. It can be used to sign/encrypt email. It also used for 'package' signing. The package system (in Windows Ruby, MSYS2) has a list of valid signing keys, and all its packages are signed with those keys.

Hence, gpg's purpose is to guarantee that the MSYS2 package(s) you are installing are valid MSYS2 packages.

MSP-Greg avatar May 21 '22 15:05 MSP-Greg

That's odd - could you share more details, screenshot, info? Which rubyinstaller version did you use and where did you get it?

Yes, odd indeed. The data is gone, not saved.

jeroenbuse avatar May 22 '22 08:05 jeroenbuse

@jeroenbuse

pacman-key (gpg) will often show key operations, including updating/retrieving keys, which show email addresses. Is that what you saw in your console? IOW, it's not 'contacting' email addresses?

It was with gpg. I don't know if it's "contacting" or not.

jeroenbuse avatar May 22 '22 08:05 jeroenbuse

That is likely it... and can feel suspicious to the suspecting! Let's hope that's the only thing.

Yes, maybe it is. It was not mentioned beforehand, so it surprised me. And then I get suspicious.

jeroenbuse avatar May 22 '22 08:05 jeroenbuse

Some background. 'gpg' is a signing/encryption system. It can be used to sign/encrypt email. It also used for 'package' signing. The package system (in Windows Ruby, MSYS2) has a list of valid signing keys, and all its packages are signed with those keys.

Hence, gpg's purpose is to guarantee that the MSYS2 package(s) you are installing are valid MSYS2 packages.

Thank you for your reply. I can not validate this. This particular aspect of the installation was not mentioned beforehand. It was a complete surprise to me and I do not like that. I must be able to trust an install.

jeroenbuse avatar May 22 '22 08:05 jeroenbuse

That's odd - could you share more details, screenshot, info? Which rubyinstaller version did you use and where did you get it?

Hi Mohit. I got the installer from https://rubyinstaller.org/

jeroenbuse avatar May 22 '22 08:05 jeroenbuse

Thank you all for your answers. Maybe I'll uninstall Ruby and scan my whole system. It's a pity, I want to use Ruby. Again, thanks all for your responses. :-)

jeroenbuse avatar May 22 '22 08:05 jeroenbuse

Hi @jeroenbuse - as @MSP-Greg pointed out, this is normal. It does not contact email addresses. While scanning the system is not a bad idea, this output is as expected since it's part of the integrity check.

You should be fine using Ruby on Windows!

mohits avatar May 22 '22 14:05 mohits

@jeroenbuse

Maybe I'll uninstall Ruby and scan my whole system. It's a pity, I want to use Ruby.

Have at it. All the software you're installing is included in the Windows images used for GitHub Actions. I believe a similar service is available on Azure. So...

MSP-Greg avatar May 22 '22 15:05 MSP-Greg

Since this behaviour has been identified as normal and there is nothing more being added in this conversation, I will close this issue.

mohits avatar Aug 31 '22 11:08 mohits