Mailinglist Archive: opensuse-ruby (10 mails)

< Previous Next >
Re: [opensuse-ruby] The case against using RubyGems.org in production
On 07/01/2013 11:30 AM, Cornelius Schumacher wrote:
On Monday 01 July 2013 08:37:32 Klaus Kaempf wrote:
Interesting read:

"Let’s get this out of the way: gems are awesome, and RubyGems.org is
a great service.

...But lately I’ve been feeling queasy every time I add a new gem to
an app. The more I think about it, the more it seems that the way we
use gems isn’t just flawed. It’s a disaster waiting to happen."

https://www.honeybadger.io/blog/2013/06/25/stop-using-rubygemsorg-in-produc
tion

The solution which is suggested in this blog, is, by the way, how we do it in
SUSE Studio. We run a geminabox server as source for all the gems we deploy.

I think the real crux is not about running an own mirror or not. The attack vector is that it's easy to get security issues merged into random Github (Ruby) projects (which may end up on rubygems.org) and having people using them blindly.

It's a real nasty topic not specific to Ruby / gems in any way. It's about monitoring upstream changes for flaws, which usually can't be reasonably done upfront.

For us, a better solution is to reduce gem usage to the bare minimum and stick with well-known ones that have a broad developer community behind. Audits by our sec guys can help too.
--
Sascha Peilicke
SUSE Linux GmbH, Maxfeldstr. 5, D-90409 Nuernberg, Germany
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer HRB 16746 (AG Nürnberg)
--
To unsubscribe, e-mail: opensuse-ruby+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-ruby+owner@xxxxxxxxxxxx

< Previous Next >
List Navigation