Jenny Shen - Demystifying the Ruby package ecosystem - Rails World 2023

Rails Security

Demystify the Ruby package ecosystem with Jenny Shen as she explores RubyGems, Pubgrub, Bundler, and more, revealing the inner workings of gem publication, installation, and resolution.

Key takeaways
  • RubyGems does not have a reliable way to track gems, which allows malicious gems to be published.
  • Most popular gem maintainers have Multi-Factor Authentication (MFA) enabled to prevent account takeover.
  • Pubgrub introduces a concept called traits to handle dependencies between gems.
  • A request set represents a list of gem information or requirements.
  • Bundler uses Pubgrub’s dependency resolver to resolve dependencies.
  • The most recent version of a gem is not always the best version.
  • Gem install can be done with various options, such as using a custom source or specifying a lower bound.
  • Bundler can provide better error messages due to tracking conflicts using Pubgrub.
  • Secure environments should be used when publishing gems through Continuous Integration (CI).
  • OIDC is a good way to securely publish gems through CI.
  • RubyGems provides a compact index to retrieve version information.
  • Gem files can be unpacked and viewed for reference.
  • RubyGems has a multi-threaded gem install process.
  • The best way to resolve version requirements is by using a diamond-shaped dependency graph.
  • Conflict-driven cause learning can be used to improve dependency resolution.
  • Gems can be installed with various options, such as specifying a lower bound or using a custom source.
  • Gem paths can be added to the load path variable in Ruby so that gems can be run.
  • Bundler’s dependency resolver uses Pubgrub to resolve dependencies.
  • RubyGems provides a way to specify a source block to push gems to a custom source.
  • Gem install can be used with various options, such as using a custom source or specifying a lower bound.
  • The best version to use for a gem is determined by the requirements specified in the gem file.
  • Gem paths can be added to the load path variable in Ruby so that gems can be run.
  • Conflict resolution can be handled by determining the best requirement for a gem.
  • Pubgrub’s dependency resolver uses a diamond-shaped dependency graph to resolve dependencies.
  • RubyGems provides a way to specify a source block to push gems to a custom source.
  • Gem install can be used with various options, such as using a custom source or specifying a lower bound.

More talks

Hop on the PHP Blockchain rocket to the MOON! - Drishti Jain - PHP UK 2022

DjangoCon Europe 2023 | Use SQLite in production

Marcia Villalba – Getting started with Orchestration and Choreography in Distributed Applications

Jorge Manrubia - Making a difference with Turbo - Rails World 2023

LeadDev San Francisco 2022 Nanzeen Rupawalla

What We've Learned from Scanning 10K+ Kubernetes Clusters by Rotem Refael

Constraints: a Developer's Secret Weapon - Will Leinweber

Daniel Thompson-Yvetot - Tauri 2.0 - DevWorld 2024