drbrain at segment7.net
Wed Jan 18 13:16:58 EST 2012
On Jan 18, 2012, at 9:49 AM, Evan Phoenix wrote:
> While thinking about the gem size and dependency naming issues last night, I had a thought for a feature.
> What if the following were possible:
> gem push --custom-url http://phx.io/gems/gx-1.0.0.gem gx-1.0.0.gem
> This would, rather than uploading the gx gem to rubygems.org, it would upload just the spec and set a "url" field that the user has specified. When the gem is requested for download, we'd redirect to that custom url.
> This allows rubygems.org to be a sort of head-in or primary federation server for gems. 99% of people will just push their gem like normal, but for the people that have very large gems that no longer fit within our size limit, they can simply host the gem file themselves. This provides a best case scenario where users can continue to simply install a gem like normal, but the costs of hosting the large gems is offset by the creator.
> I was worried about security slightly, since the file at the url could be replaced with different code after the fact. But this is not dissimilar from someone pushing a new version that introduces a security issue. Since most people use ~> or > for their deps, they'd pick up that new version.
I think a secure hash of the gem should be uploaded along with the spec to ensure the destination file cannot be changed.
Offhand, I can't think of anything terrible about this so long as rubygems can verify the foreign file is correct.
More information about the RubyGems-Developers