"Federating" rubygems.org

Charles Oliver Nutter headius at headius.com
Wed Jan 18 18:55:55 EST 2012


On Wed, Jan 18, 2012 at 5:09 PM, Charles Oliver Nutter
<headius at headius.com> wrote:
> I wonder if Github or someone else with a tiered service would be
> interested in partnering with RubyGems.org?

After chatting a bit with Evan on IRC, I'm on board with a simple
option. Summarizing my understanding of the idea here:

Basic multi-home support:

* gem push <url> (or something like that) will fetch your pre-uploaded
gem, hash it, and submit gemspec + hash + URL to RG.org
* gem install X (where X is a remote-sourced gem) will get gemspec +
hash + URL from RG.org and fetch the gem file on its own

It does make pushing these gems a two-step process, which could
perhaps be mitigated by RG supporting push --upload plugins in the
future that can work with your S3, GH, whatever account. But for now,
I think people pushing big gems would be more than happy to deal with
the two-step process. For JRuby, we'd just add the gem upload to our
S3 push, and then the gem push just references that URL. No extra
work, really.

>> I was worried about security slightly, since the file at the url could be replaced with different code after the fact. But this is not dissimilar from someone pushing a new version that introduces a security issue. Since most people use ~> or > for their deps, they'd pick up that new version.

Security is still tricky. Newer RubyGems versions would validate the
downloaded gem client-side based on the hash from RG.org, so that's
ok. But older RubyGems versions would have to either reject
remote-sourced gems entirely (not great) or just accept them as ok.
Evan suggested that RG.org could periodically cull remote-sourced gems
that no longer match their hashes, to reduce the window of opportunity
for an attack.

My position:

* I don't care of old RG can download, but having RG.org still mirror
remote-sourced gems for older clients (for a while) would be a good
compromise.
* I really like the gem push <url> form.
* JRuby is on board to offload our gems and provide info to all JRuby
users on how to offload theirs (e.g. Torquebox, Jenkins).

- Charlie


More information about the RubyGems-Developers mailing list