On Wed, Jan 18, 2012 at 5:09 PM, Charles Oliver Nutter <head...@headius.com> wrote: > I wonder if Github or someone else with a tiered service would be > interested in partnering with RubyGems.org?
After chatting a bit with Evan on IRC, I'm on board with a simple option. Summarizing my understanding of the idea here: Basic multi-home support: * gem push <url> (or something like that) will fetch your pre-uploaded gem, hash it, and submit gemspec + hash + URL to RG.org * gem install X (where X is a remote-sourced gem) will get gemspec + hash + URL from RG.org and fetch the gem file on its own It does make pushing these gems a two-step process, which could perhaps be mitigated by RG supporting push --upload plugins in the future that can work with your S3, GH, whatever account. But for now, I think people pushing big gems would be more than happy to deal with the two-step process. For JRuby, we'd just add the gem upload to our S3 push, and then the gem push just references that URL. No extra work, really. >> I was worried about security slightly, since the file at the url could be >> replaced with different code after the fact. But this is not dissimilar from >> someone pushing a new version that introduces a security issue. Since most >> people use ~> or > for their deps, they'd pick up that new version. Security is still tricky. Newer RubyGems versions would validate the downloaded gem client-side based on the hash from RG.org, so that's ok. But older RubyGems versions would have to either reject remote-sourced gems entirely (not great) or just accept them as ok. Evan suggested that RG.org could periodically cull remote-sourced gems that no longer match their hashes, to reduce the window of opportunity for an attack. My position: * I don't care of old RG can download, but having RG.org still mirror remote-sourced gems for older clients (for a while) would be a good compromise. * I really like the gem push <url> form. * JRuby is on board to offload our gems and provide info to all JRuby users on how to offload theirs (e.g. Torquebox, Jenkins). - Charlie _______________________________________________ RubyGems-Developers mailing list http://rubyforge.org/projects/rubygems RubyGems-Developers@rubyforge.org http://rubyforge.org/mailman/listinfo/rubygems-developers
