Comments (3)
Hi @rubyFeedback,
We expected that the time constraint might need adjusting, so thank you for reaching out. The goal is to cause as little disruption as possible to the community and the maintainers while setting boundaries on acceptable use. We chose these specific constraints to allow most yanks, but to require communication with our security team when they are likely to have a large impact on the users of rubygems.org.
The decision was made by the Ruby Central Open Source Committee. The aim of the committee is to ensure that we act in the best interest of the community as a whole.
I'm happy to explain the reasoning behind our decision. Our logic is as follows:
- In assessing the risks to the rubygems.org ecosystem, we agreed that there is a significant risk of attacks or disruptions caused by large maintainers deleting gems used by hundreds of thousands of people.
- Deleting a gem from the ecosystem after it has been public for a period of time is more likely to cause major disruption.
- Sometimes this disruption is desirable. Large bugs, legal situations, or security vulnerabilities in major gems should be communicated to rubygems staff so that we can respond appropriately. Usually more is required than simply deleting the gem.
- In order to reduce the multiplicative negative impact of deleting widely used or old gems, we believe it's our right and responsibility to our community to ask people to communicate with us before performing largely disruptive actions rather than acting unilaterally.
Old versions are known and even expected to have bugs. That's the purpose of patch versions. A single maintainer choosing to delete publicly distributed versions breaks untold numbers of people and forces an immediate halt to their processes. Instead of allowing people to go through normal upgrade processes, a maintainer can unilaterally dictate the breakage of any package they maintain. We ask that maintainers include rubygems.org in this decision when their gem meets certain criteria.
We are open to evolving these constraints collaboratively if we are not meeting our goals. For anything urgent, we have a 24 hour on call rotation ready to help with emergencies that may arise.
from rubygems.org.
Related Issues (20)
- "All versions of #{gem} since #{date}" has paginated date
- In development, LetterOpener web `/letter_opener` is broken/unusable due to Content Security Policy HOT 1
- Add date of last release to search results page HOT 1
- Error importing gems for local development HOT 2
- Has the sorting on rubygems.org profiles been changed recently? HOT 3
- Alternative to @rubygems_status on Twitter HOT 4
- Changing dependencies didn't change it on the gem page HOT 2
- Remove or replace Twitter/X from email footer HOT 1
- Dashboard Atom feed link broken HOT 2
- Display last released version HOT 6
- Status page header displaying broken help.rubygems.org link
- Improve statistics for downloads HOT 8
- Improve "Access Denied" message by distinguishing "no key" vs "unknown key"
- Allow users to mark gems as no longer being maintained.
- Webauthn CLI login could be much easier
- Refactor permissions to use Pundit for all controlled actions
- Refactor tests to cleanup redefined `sign_in_as`
- Filter by trusted publisher
- Incorrect gem metadata HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rubygems.org.