"Federating" rubygems.org

Evan Phoenix evan at phx.io
Wed Jan 18 12:49:24 EST 2012


While thinking about the gem size and dependency naming issues last night, I had a thought for a feature. 

What if the following were possible:

  gem push --custom-url http://phx.io/gems/gx-1.0.0.gem gx-1.0.0.gem

This would, rather than uploading the gx gem to rubygems.org, it would upload just the spec and set a "url" field that the user has specified. When the gem is requested for download, we'd redirect to that custom url.

This allows rubygems.org to be a sort of head-in or primary federation server for gems. 99% of people will just push their gem like normal, but for the people that have very large gems that no longer fit within our size limit, they can simply host the gem file themselves. This provides a best case scenario where users can continue to simply install a gem like normal, but the costs of hosting the large gems is offset by the creator.

I was worried about security slightly, since the file at the url could be replaced with different code after the fact. But this is not dissimilar from someone pushing a new version that introduces a security issue. Since most people use ~> or > for their deps, they'd pick up that new version.

Thoughts? Comments and Criticisms Required. 

-- 
Evan Phoenix // evan at phx.io




More information about the RubyGems-Developers mailing list