Ruby Central, RubyGems 및 Bundler 저장소 소유권을 Ruby 핵심 팀에 이전: '적대적 인수' 논란 지속

Ruby Central이 RubyGems와 Bundler 저장소 소유권을 Ruby 핵심 팀에 이전했으나, 이는 이전 유지보수 담당자들의 통제권을 회복시키지 못했습니다.

🔗 원문 보기

A vulnerable gem in your Gemfile.lock is a door left unlocked.

`bundler-audit` scans your lockfile against the CVE database and ranks issues Low to Critical so you patch the scary ones first.

Fix with bundle update gem --conservative, then wire it into CI so every push gets scanned.

https://go.fastruby.io/8ig

#RubyOnRails #Bundler #AppSec

So #bundler added support for cooldowns.

https://blog.rubygems.org/2026/06/03/cooldown-let-new-gems-be-vetted.html

Aside: This feature is mostly developed by Claude. I haven't reviewed the code. Maybe it's fine. Maybe hsbt did actually read, understood, and guided all the code generated here. But in any case it's kinda depressing that even #Ruby, "a Programmer's Best Friend" language with goals like happiness and fun is outsourced to AI that neither can have fun, nor can be happy, nor have friends.

Anyway, I don't fully get the appeal. My main point of contention is that it's a solution trice removed from the problem.

The problem is "supply chain security". Sometimes malicious packages get pushed to package registries. It's not that much of a problem if the package is completely new as it doesn't have users yet and people tend to be cautious about new packages. But it's a problem for established projects that get compromised. They have a lot of users and many people depend on them. So a compromised package with lots of users needs very little time to get installed all over and execute its evil plots.

Someone noticed that it doesn't take much time for people to notice that something's not right. Just days, even mere hours. And they came up with a solution: what if we don't install packages right as they get released but wait, say, a week?

It's a self-defeating strategy. Imagine everyone does this. No one installs packages until they get a week old. How will people know if something's not right if no one's using the package?

The whole thing depends on someone noticing that something's not right. But the fewer people use the package the lower the chance that someone will notice. Package cooldowns work great for the small fraction of users in the beginning. But the closer cooldowns adoption goes to 100% the less effective it becomes.

It also implicitly relies on someone noticing an issue. And someone investigating it. Someone needs to a) install the package, b) notice the issue, c) investigate it. None of this is guaranteed by cooldowns.

A more explicit strategy would be that every package needs a certain amount of reviews from the users to become generally available. So every package upon release becomes available on the index for review. A package manager notifies users that a new version is available in staging and they can help it move along. The package is not available for automatic installation. There's a diff to the previous version that people can review. This is my first idea and it certainly can be improved but, as an example… Users who reviewed the package and approved it can install it right away. The package becomes generally available once a certain amount of reviews came in. E.g. 0.5% of weekly downloads, or 5, 10, 20, etc. approvals from highly trusted well known people in the community who are not involved in the project.

As opposed to cooldowns this explicitly depends on actual reviews. Unlike cooldowns, wider adoption improves efficiency: more reviews—faster availability. It also promotes the "best practice" of actually reading the code you install.

Now, to make it a thing I need a catchy name for it. I'm taking suggestions.

Cooldown Support for Ruby Bundler

https://blog.rubygems.org/2026/06/03/cooldown-let-new-gems-be-vetted.html

#HackerNews #Cooldown #Support #Ruby #Bundler #Gems #Development

RubyGems 4.0.13 및 Bundler 4.0.13 출시: 공급망 보안 강화 및 쿨다운 메커니즘 도입

새로 게시된 젬 버전의 설치를 일정 시간 지연시키는 쿨다운 메커니즘을 도입해 악성 패키지 배포와 계정 탈취 공격에 대응한다.

#rubygems #bundler
https://ruby-news.dev/articles/rubygems-4-0-13-and-bundler-4-0-13-released-with-new-supply-chain-security-protections

RubyGems 4.0.13 and Bundler 4.0.13 are out.

The most notable addition is a new cooldown mechanism for newly published gems, helping reduce the risk of supply-chain attacks.

Plus security fixes, Windows improvements, and Bundler enhancements.

Read more 👇

#Ruby #RubyGems #Bundler #OpenSource #AppSec

https://rubystacknews.com/2026/06/03/rubygems-4-0-13-and-bundler-4-0-13-released-with-new-supply-chain-security-protections/

Ruby 생태계, Google Summer of Code(GSoC) 2026 참여 확정

Ruby 생태계가 GSoC 2026에 참여한다. RubyGems.org, RubyGems, Bundler 같은 주요 오픈소스 프로젝트에 기여할 신규 참여자를 모집한다.

#rubygems #bundler
https://ruby-news.kr/articles/ruby-participates-in-google-summer-of-code

Ruby 생태계, Google Summer of Code(GSoC) 2026 참여 확정

Ruby 생태계가 GSoC 2026에 참여하여 RubyGems.org, RubyGems, Bundler 등 주요 오픈소스 프로젝트에 기여할 신규 참여자를 모집한다.

🔗 원문 보기

RubyGems 통계로 분석한 루비 생태계의 의존성 구조와 핵심 라이브러리

RubyGems의 다운로드 순위는 개발자의 직접적인 선호도가 아니라 의존성 그래프에 의해 자동으로 설치되는 '의존성 중력'을 나타낸다.

#rubygems #bundler
https://ruby-news.kr/articles/what-rubygems-stats-actually-reveal-about-the-ecosystem

RubyGems 통계로 분석한 루비 생태계의 의존성 구조와 핵심 라이브러리

RubyGems의 다운로드 순위는 개발자의 직접적인 선호도가 아니라 의존성 그래프에 의해 자동으로 설치되는 '의존성 중력'을 나타낸다.

🔗 원문 보기