Hacker News new | past | comments | ask | show | jobs | submit login

Yes. I think that we need to see a full security report from rubygems.org on this. This could be bigger than just the one package.



Agreed – a postmortem from rubygems.org on how the takeover occurred, and would be prevented next time, is something the Ruby community should expect/demand.


Do you feel that anyone in the community who isn't contributing financially or with their time to the project should expect to be able to "demand" anything from Ruby gems?

The lack of funding for foundational parts of many popular ecosystems (e.g. NPM, PyPI, Rubygems) never ceases to surprise me.


We've heard this before. Yes. Developers using this may decide not to use this gem. Ruby gems in general may lose trust.

If the goal of the project is adoption than do not ignore that group.


so you feel that a group of volunteers with limited funding should do what precisely?

as to losing adoption, that would only happen if

a) there were other options with better security, and given that npm, PyPI and others have had similar problems, there probably aren't

b) Developers would actually move ecosystem due to package manager weaknesses. given that hasn't happened with any of the previous instances of supply chain attacks (and this has been going on for 5+ years now) I don't think so.

As one example, rubygems was compromised in 2013 https://news.ycombinator.com/item?id=5139583 did you or anyone else stop using it as a result?


rubygems is actually given some funding by Ruby Together, I'm not sure with what current budget. https://rubytogether.org/


based on their home page they're somewhere near the lower end of the $20k-$35k category for all funding...


I think that is per month? But not sure.


Think you could be right there, so not a tiny amount of cash but looking at their page not even enough to have a full time dev on the gem tools...

Obv. as a security person I'd say they should prioritise security things like audits and improved Authentication requirements for gem owners, but realistically sounds like just keeping the lights on is pretty expensive.


They work on adding other features to rubygems and other things they fund. If I were them, I would work on nothing but security of rubygems.org gem releases.


Yet another example of supply chain attacks. How do businesses seriously allow their devs to pull code from outside sources, it blows my mind. Npm, Ruby gems, etc etc etc.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: