Code Monkey home page Code Monkey logo

Comments (3)

martinemde avatar martinemde commented on July 18, 2024 4

Hi @rubyFeedback,

We expected that the time constraint might need adjusting, so thank you for reaching out. The goal is to cause as little disruption as possible to the community and the maintainers while setting boundaries on acceptable use. We chose these specific constraints to allow most yanks, but to require communication with our security team when they are likely to have a large impact on the users of rubygems.org.

The decision was made by the Ruby Central Open Source Committee. The aim of the committee is to ensure that we act in the best interest of the community as a whole.

I'm happy to explain the reasoning behind our decision. Our logic is as follows:

  1. In assessing the risks to the rubygems.org ecosystem, we agreed that there is a significant risk of attacks or disruptions caused by large maintainers deleting gems used by hundreds of thousands of people.
  2. Deleting a gem from the ecosystem after it has been public for a period of time is more likely to cause major disruption.
  3. Sometimes this disruption is desirable. Large bugs, legal situations, or security vulnerabilities in major gems should be communicated to rubygems staff so that we can respond appropriately. Usually more is required than simply deleting the gem.
  4. In order to reduce the multiplicative negative impact of deleting widely used or old gems, we believe it's our right and responsibility to our community to ask people to communicate with us before performing largely disruptive actions rather than acting unilaterally.

Old versions are known and even expected to have bugs. That's the purpose of patch versions. A single maintainer choosing to delete publicly distributed versions breaks untold numbers of people and forces an immediate halt to their processes. Instead of allowing people to go through normal upgrade processes, a maintainer can unilaterally dictate the breakage of any package they maintain. We ask that maintainers include rubygems.org in this decision when their gem meets certain criteria.

We are open to evolving these constraints collaboratively if we are not meeting our goals. For anything urgent, we have a 24 hour on call rotation ready to help with emergencies that may arise.

from rubygems.org.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.