Jenny Shen - Demystifying the Ruby package ecosystem - Rails World 2023

Rails Security

Demystify the Ruby package ecosystem with Jenny Shen as she explores RubyGems, Pubgrub, Bundler, and more, revealing the inner workings of gem publication, installation, and resolution.

Key takeaways
  • RubyGems does not have a reliable way to track gems, which allows malicious gems to be published.
  • Most popular gem maintainers have Multi-Factor Authentication (MFA) enabled to prevent account takeover.
  • Pubgrub introduces a concept called traits to handle dependencies between gems.
  • A request set represents a list of gem information or requirements.
  • Bundler uses Pubgrub’s dependency resolver to resolve dependencies.
  • The most recent version of a gem is not always the best version.
  • Gem install can be done with various options, such as using a custom source or specifying a lower bound.
  • Bundler can provide better error messages due to tracking conflicts using Pubgrub.
  • Secure environments should be used when publishing gems through Continuous Integration (CI).
  • OIDC is a good way to securely publish gems through CI.
  • RubyGems provides a compact index to retrieve version information.
  • Gem files can be unpacked and viewed for reference.
  • RubyGems has a multi-threaded gem install process.
  • The best way to resolve version requirements is by using a diamond-shaped dependency graph.
  • Conflict-driven cause learning can be used to improve dependency resolution.
  • Gems can be installed with various options, such as specifying a lower bound or using a custom source.
  • Gem paths can be added to the load path variable in Ruby so that gems can be run.
  • Bundler’s dependency resolver uses Pubgrub to resolve dependencies.
  • RubyGems provides a way to specify a source block to push gems to a custom source.
  • Gem install can be used with various options, such as using a custom source or specifying a lower bound.
  • The best version to use for a gem is determined by the requirements specified in the gem file.
  • Gem paths can be added to the load path variable in Ruby so that gems can be run.
  • Conflict resolution can be handled by determining the best requirement for a gem.
  • Pubgrub’s dependency resolver uses a diamond-shaped dependency graph to resolve dependencies.
  • RubyGems provides a way to specify a source block to push gems to a custom source.
  • Gem install can be used with various options, such as using a custom source or specifying a lower bound.

More talks

RailsConf 2024 - Crafting Rails Plugins by Chris Oliver

Welcome to the AI jungle! Now what? by Kevin Dubois

PyData Chicago October 2024 Meetup

Genesis Keynote by Stephan Janssen

Big Data for the IoT

Ready for Rust • Erik Doernenburg • YOW! 2019

SAINTCON 2016 - Cory Stokes & Derek Larson - Using Security Self Assessment Survey Tools

37C3 - Unlocking the Road Ahead: Automotive Digital Forensics