

The case against using RubyGems.org in production - why-el
https://www.honeybadger.io/blog/2013/06/25/stop-using-rubygemsorg-in-production

======
tomfakes
I agree with Starr about having your own Gem repository available for the code
you want to deploy to your servers.

However, I don't think this solves the initial problem, and that is that you
have to develop a trust with the people writing the Gems.

For the Rails gem, I'm just going to trust those guys, because of their track
record, but for a random gem writer with their first Gem, I'm going to read
the code of that gem to ensure that it does what it says it does.

Having your own gem server doesn't remove this step, but it does put a
roadblock in to stop a gem writer putting in bad code once you've decided to
use it.

So this is a 2 step process:

    
    
        1. Read the Gem code (or trust some other way)
        2. Create a Gem Server to isolate from un-wanted updates

