Ruby installer contacting email addresses

[jeroenbuse]

While using the ruby installer for windows, during bthe install the installer tried to contact several email addresses that I do not know. Why is that? From whom are these email addresses?

[mohits]

That's odd - could you share more details, screenshot, info? Which rubyinstaller version did you use and where did you get it?

[MSP-Greg]

@jeroenbuse

pacman-key (gpg) will often show key operations, including updating/retrieving keys, which show email addresses. Is that what you saw in your console? IOW, it's not 'contacting' email addresses?

[mohits]

That is likely it... and can feel suspicious to the suspecting! Let's hope that's the only thing.

[MSP-Greg]

Some background. 'gpg' is a signing/encryption system. It can be used to sign/encrypt email. It also used for 'package' signing. The package system (in Windows Ruby, MSYS2) has a list of valid signing keys, and all its packages are signed with those keys.

Hence, gpg's purpose is to guarantee that the MSYS2 package(s) you are installing are valid MSYS2 packages.

[jeroenbuse]

That's odd - could you share more details, screenshot, info? Which rubyinstaller version did you use and where did you get it?

Yes, odd indeed. The data is gone, not saved.

[jeroenbuse]

@jeroenbuse

pacman-key (gpg) will often show key operations, including updating/retrieving keys, which show email addresses. Is that what you saw in your console? IOW, it's not 'contacting' email addresses?

It was with gpg. I don't know if it's "contacting" or not.

[jeroenbuse]

That is likely it... and can feel suspicious to the suspecting! Let's hope that's the only thing.

Yes, maybe it is. It was not mentioned beforehand, so it surprised me. And then I get suspicious.

[jeroenbuse]

Some background. 'gpg' is a signing/encryption system. It can be used to sign/encrypt email. It also used for 'package' signing. The package system (in Windows Ruby, MSYS2) has a list of valid signing keys, and all its packages are signed with those keys.

Hence, gpg's purpose is to guarantee that the MSYS2 package(s) you are installing are valid MSYS2 packages.

Thank you for your reply. I can not validate this. This particular aspect of the installation was not mentioned beforehand. It was a complete surprise to me and I do not like that. I must be able to trust an install.

[jeroenbuse]

That's odd - could you share more details, screenshot, info? Which rubyinstaller version did you use and where did you get it?

Hi Mohit. I got the installer from https://rubyinstaller.org/

[jeroenbuse]

Thank you all for your answers. Maybe I'll uninstall Ruby and scan my whole system. It's a pity, I want to use Ruby. Again, thanks all for your responses. :-)

[mohits]

Hi @jeroenbuse - as @MSP-Greg pointed out, this is normal. It does not contact email addresses. While scanning the system is not a bad idea, this output is as expected since it's part of the integrity check.

You should be fine using Ruby on Windows!

[MSP-Greg]

@jeroenbuse

Maybe I'll uninstall Ruby and scan my whole system. It's a pity, I want to use Ruby.

Have at it. All the software you're installing is included in the Windows images used for GitHub Actions. I believe a similar service is available on Azure. So...

[mohits]

Since this behaviour has been identified as normal and there is nothing more being added in this conversation, I will close this issue.