Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You do all deploy from your own cache of all the gems you depend on, right? No? Why not?


That only helps you with availability though doesn't it? You are just as likely to have pulled backdoored files and cached them as to get backdoored files directly. Also at some point you need to update.

So I think it only helps if you are likely to need to deploy additional/alternative servers of the same versions. For significant deployed services this makes sense but if you are only in development/testing or using a service like Heroku it doesn't really help you very much does it?


> You are just as likely to have pulled backdoored files and cached them as to get backdoored files directly.

At least your deployments will be consistent. This is a great starting point. Now all you have to do is check your cache against the backdoored version, and you instantly and verifiably know where your deployment stands.


I'd love to. Any helpful guides on how to proceed?


I just wrote a blog post: http://words.steveklabnik.com/how-to-not-rely-on-rubygemsorg...


Wasn't aware of bundle --deployment, that's very helpful thank you steve.


Any time! Not enough people are.


  bundle package
will cache all of your deps in vendor/cache. You can install from this cache using:

  bundle install --local




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: