What I saw was Ben twerping to Ruby people asking who to contact about this first, then posting to HN when he couldn't find the right person. Can I ask, where's the security page on Rubygems.org that tells people who to alert when stuff like this happens? I'm trying to find it on Archive.org and drawing a blank.
If the whole world is pulling backdoored gems off a compromised Rubygems.org, panic seems like a reasonable first reaction. This isn't the Rails bug; there was nothing to be gained here from secrecy.
I became aware of this problem this morning when it was discussed on a public github issue. I think the problem has been known for a couple of weeks. I checked latest rack and active_support gem (would seem to be good targets...) to see if they had been backdoored but they were clean. Not sure if these gems are still clean or if any others have been compromised.
to see if they had been backdoored but they were clean
You can never be too sure. There's a whole contest (http://underhanded.xcott.com/) whose goal is "make something that looks legit, but actually does something evil / has an exploit).
Now would be a good time to build up a quick script to compare the last modification time of the files on S3 against the updated_at of any gem record in the system. If the delta is too long, that would be a candidate for deeper investigation.
Ah, so were were supposed to look at the .yml files included in your exploit gem? Which contained some injected code that would then run on the rubygems server?
If someone compromised a package repository and replaced OpenSSH with a backdoored version, I would want to know immediately, and relay that message as quickly as possible to as many other users as possible before it spreads.
It is better to be paranoid about it and get the word out before someone actually gets hurt. If the users get to it before the maintainer gets to it, at least someone got the word out.