On Monday 01 July 2013 12:33:12 Stephan Kulow wrote:
On 01.07.2013 11:30, Cornelius Schumacher wrote:
On Monday 01 July 2013 08:37:32 Klaus Kaempf wrote:
Interesting read:
"Let’s get this out of the way: gems are awesome, and RubyGems.org is
a great service.
...But lately I’ve been feeling queasy every time I add a new gem to an app. The more I think about it, the more it seems that the way we use gems isn’t just flawed. It’s a disaster waiting to happen."
https://www.honeybadger.io/blog/2013/06/25/stop-using-rubygemsorg-in-pro duc tion
The solution which is suggested in this blog, is, by the way, how we do it in SUSE Studio. We run a geminabox server as source for all the gems we deploy.
You do "Review the code for treachery" too?
Sascha is right, that running the server is not the actual issue, but it is a
necessary condition to be able to control what's being used by an app. We do
look at what we are using, but of course we are not able to review every
single line of code for every version update. So, as Sascha also already said,
relying on the reputation of upstream projects is also part of it. One nice
side effect of channeling gems through an own server is that you have a
complete track of the code you are using as gems, so in case there is any
doubt about possibly compromised gems, it's possible to analyze that.
--
Cornelius Schumacher