Read more

PSA: Dont allow private gems to be pushed to rubygems.org

Tobias Kraze
November 17, 2014Software engineer at makandra GmbH

If you make a gem with Bundler, you will get a rake release task that will instantly publish your gem to rubygems.org for all the world to admire. For private gems this is very bad.

Illustration web development

Do you need DevOps-experts?

Your development team has a full backlog? No time for infrastructure architecture? Our DevOps team is ready to support you!

  • We build reliable cloud solutions with Infrastructure as code
  • We are experts in security, Linux and databases
  • We support your dev team to perform
Read more Show archive.org snapshot

To make sure this cannot happen, rubygems 2.2+ allows you to restrict eligible push hosts:

Gem::Specification.new 'my_gem', '1.0' do |s|
  # ...
  s.metadata['allowed_push_host'] = 'https://gems.my-company.example'
end

In case you already messed up, follow these instructions to get your gem removed Show archive.org snapshot . Of course, it's not possible to delete anything on the Internet, so this will only help a bit.

Posted by Tobias Kraze to makandra dev (2014-11-17 13:28)