On Jan 18, 2012, at 9:49 AM, Evan Phoenix wrote: > While thinking about the gem size and dependency naming issues last night, I > had a thought for a feature. > > What if the following were possible: > > gem push --custom-url http://phx.io/gems/gx-1.0.0.gem gx-1.0.0.gem > > This would, rather than uploading the gx gem to rubygems.org, it would upload > just the spec and set a "url" field that the user has specified. When the gem > is requested for download, we'd redirect to that custom url. > > This allows rubygems.org to be a sort of head-in or primary federation server > for gems. 99% of people will just push their gem like normal, but for the > people that have very large gems that no longer fit within our size limit, > they can simply host the gem file themselves. This provides a best case > scenario where users can continue to simply install a gem like normal, but > the costs of hosting the large gems is offset by the creator. > > I was worried about security slightly, since the file at the url could be > replaced with different code after the fact. But this is not dissimilar from > someone pushing a new version that introduces a security issue. Since most > people use ~> or > for their deps, they'd pick up that new version.
I think a secure hash of the gem should be uploaded along with the spec to ensure the destination file cannot be changed. Offhand, I can't think of anything terrible about this so long as rubygems can verify the foreign file is correct. _______________________________________________ RubyGems-Developers mailing list http://rubyforge.org/projects/rubygems [email protected] http://rubyforge.org/mailman/listinfo/rubygems-developers
