zlacker

[return to "Ruby Central's Attack on RubyGems [pdf]"]
1. thomas+pH[view] [source] 2025-09-19 14:09:26
>>jolux+(OP)
An update from Ruby Central: Strengthening the Stewardship of RubyGems and Bundler

https://rubycentral.org/news/strengthening-the-stewardship-o...

◧◩
2. coryth+jN[view] [source] 2025-09-19 14:44:00
>>thomas+pH
Aren’t supply chain attacks caused by package maintainer accounts being compromised? I suppose too many people with keys to the package repository itself is also liability, but those accounts being compromised just hasn’t been what is happening.
◧◩◪
3. coryth+O57[view] [source] 2025-09-21 20:41:47
>>coryth+jN
The other side of the story came out, and of course, it’s very reasonable https://apiguy.substack.com/p/a-board-members-perspective-of...
◧◩◪◨
4. nightp+Z67[view] [source] 2025-09-21 20:50:21
>>coryth+O57
That doesn't sound very reasonable at all. Ruby Central, by their own admission, agreed to take $$$$ of funding on the premise that they would "secure RubyGems against supply chain attacks", and then sat on their hands not doing anything about it until a few days before the deadline, when it was too late to seek community consensus or figure out a good transition plan. So they ended up screwing over everybody who was actually doing work on the project. And they apparently used this as an opportunity to consolidate their power in other ways (renaming the github org) for reasons that were unrelated to the self-imposed deadline.
[go to top]