Matt, Yeah, definitely! I forgot to mention that... It's more to mitigate tampering after you initially verify the integrity of the gems and include them in your project.
That being said, I don't think I've ever verified the md5 checksum of a gem I've downloaded... - Adam On Wed, Jan 30, 2013 at 2:12 PM, Matt Aimonetti <[email protected]>wrote: > We do the same thing, but if rubygems is pwned, you would get the tampered > gems when you do bundle install/update. > > - Matt > > > On Wed, Jan 30, 2013 at 2:04 PM, Adam Grant <[email protected]> wrote: > >> We vendor our gems in vendor/cache using bundle install, and commit those >> to Git. Then we do a >> >> $ bundle install --local --no-cache --no-prune >> >> using the built in capistrano recipe that Bundler comes with when we >> deploy to a server. >> >> That way we always have the Gems snapshotted for each release. >> >> Works well. >> >> - Adam >> >> >> On Wed, Jan 30, 2013 at 1:28 PM, James Miller <[email protected]> wrote: >> >>> Or the sugar version of that: >>> >>> gem "nokogiri", github: "tenderlove/nokogiri", branch: "1.4" >>> >>> >>> On Wed, Jan 30, 2013 at 1:26 PM, Kevin Baker <[email protected]> wrote: >>> >>>> You could also use a direct source to the github repo for the gem. >>>> >>>> Example: >>>> >>>> >>>> gem "nokogiri", :git => "git://github.com/tenderlove/nokogiri.git", >>>> :branch => "1.4" >>>> >>>> >>>> >>>> >>>> On Wed, Jan 30, 2013 at 1:14 PM, Matt Aimonetti < >>>> [email protected]> wrote: >>>> >>>>> Your own gem server, (using geminabox or whatever). >>>>> >>>>> At the moment, no real issues have been found. Some config information >>>>> from the server were retrieved but that's about it. The credentials were >>>>> changed and the team is looking into potentially tampered gems or server >>>>> backdoors. >>>>> >>>>> Avoid deploying if you can. You can see more info in real time via >>>>> freenode: #rubygems >>>>> >>>>> - Matt >>>>> >>>>> >>>>> On Wed, Jan 30, 2013 at 1:02 PM, Eric MacAdie <[email protected]>wrote: >>>>> >>>>>> What alternative is there to rubygems.org? >>>>>> >>>>>> - Eric MacAdie >>>>>> >>>>>> >>>>>> >>>>>> On Wed, Jan 30, 2013 at 2:31 PM, Kevin Ball <[email protected]>wrote: >>>>>> >>>>>>> If you pull your gems from rubygems.org they're recommending >>>>>>> halting deploys until they give an all clear >>>>>>> >>>>>>> Haven't seen any full writeups but there's info here: >>>>>>> >>>>>>> https://status.heroku.com/incidents/489 >>>>>>> https://twitter.com/rubygems_status >>>>>>> https://twitter.com/qrush >>>>>>> >>>>>>> -Kevin >>>>>>> >>>>>>> -- >>>>>>> -- >>>>>>> SD Ruby mailing list >>>>>>> [email protected] >>>>>>> http://groups.google.com/group/sdruby >>>>>>> --- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "SD Ruby" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to [email protected]. >>>>>>> For more options, visit https://groups.google.com/groups/opt_out. >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> -- >>>>>> -- >>>>>> SD Ruby mailing list >>>>>> [email protected] >>>>>> http://groups.google.com/group/sdruby >>>>>> --- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "SD Ruby" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> For more options, visit https://groups.google.com/groups/opt_out. >>>>>> >>>>>> >>>>>> >>>>> >>>>> -- >>>>> -- >>>>> SD Ruby mailing list >>>>> [email protected] >>>>> http://groups.google.com/group/sdruby >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "SD Ruby" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> For more options, visit https://groups.google.com/groups/opt_out. >>>>> >>>>> >>>>> >>>> >>>> -- >>>> -- >>>> SD Ruby mailing list >>>> [email protected] >>>> http://groups.google.com/group/sdruby >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "SD Ruby" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> For more options, visit https://groups.google.com/groups/opt_out. >>>> >>>> >>>> >>> >>> -- >>> -- >>> SD Ruby mailing list >>> [email protected] >>> http://groups.google.com/group/sdruby >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "SD Ruby" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/groups/opt_out. >>> >>> >>> >> >> -- >> -- >> SD Ruby mailing list >> [email protected] >> http://groups.google.com/group/sdruby >> --- >> You received this message because you are subscribed to the Google Groups >> "SD Ruby" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> >> > > -- > -- > SD Ruby mailing list > [email protected] > http://groups.google.com/group/sdruby > --- > You received this message because you are subscribed to the Google Groups > "SD Ruby" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- -- SD Ruby mailing list [email protected] http://groups.google.com/group/sdruby --- You received this message because you are subscribed to the Google Groups "SD Ruby" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
