How RubyGems.org protects OSS infrastructure
15 comments
·August 25, 2025decasia
jrochkind1
I feel like the unicorn maintainer(s) have been trying to kill unicorn for a while, making decisions meant to be user-hostile. I'm not sure why they are maintaining it at all.
drzaiusx11
From the unicorn readme:
"unicorn is an HTTP server for Rack applications that has done decades of damage to the entire Ruby ecosystem due to its ability to tolerate (and thus encourage) bad code."
Might have something to do with it.
Lammy
Based; mandatory MFA is annoying as hell.
paulryanrogers
So the solution is none? Not better MFA tools?
cosmic_cheese
Good work to everybody involved. Looking into donating now.
Ruby/Rails and its ecosystem continues to prove itself the practical, boring, reliable workhorse option.
princevegeta89
Boring? Not really.
My 2c: it is more enjoyable than the Js/Ts ecosystem we have today.
woodruffw
I think they meant boring in a positive way, as in "choose boring technology."
IFC_LLC
Interesting how the Internet turned into a place where you have to search for a long time in order to find something valuable. In this case - you have a dedicated team that sits there and diligently works on the quality of their product.
I should have turned to RoR 3 years ago.
ecshafer
Ruby on Rails is the most productive web framework I have ever worked in. RoR + the Ecosystem is really geared towards getting things working quickly asap and its great.
IFC_LLC
Oh, I will. I will. I'm quite amazed by the dedication of the team that supports the framework and how good of a care they have been taking about it.
Funny enough, one of my first articles I've ever written on the internet was about RoR. It's dated 1st of March 2010. Gosh, It's been 15 years. At that moment I used https://rubyforge.org to download RoR, Instant Rails for Windows and Aptana as an IDE. 15 years have gone by, but RoR is here just like PHP is.
So it's getting better and better.
infamouscow
Welcome to the ecosystem o/
Dan42
Reading this, I couldn't help but think these guys really know where their towel is. The opposite of enshittification?
burnt-resistor
But still lacks mandatory gem signing. I also wonder how many malicious gems were published prior to this.
firesteelrain
Even if it was mandatory, if it doesn’t get signed by a trusted CA then it is still self signed. RubyGems would have to reject all. But signing alone does not prevent malicious code
About this, I noticed a relatively prominent gem maintainer publicly announcing his efforts to avoid rubygems security measures:
> I'll try to get a unicorn 7.x release soon but tests take forever to run on ancient HW and I need to ration releases to keep download counts low in order to stay under the MFA threshold on Rubygems.org
> I don't ever want users viewing me as trustworthy nor liable for anything I do, so no MFA nor sigs from me; just source + docs :>
If I understand correctly - the idea is that the unicorn maintainer does not want to be viewed as trustworthy and is avoiding MFA and signatures because they could build trust that isn't, in this case, wanted.
https://yhbt.net/unicorn-public/20231214230933.M299458@dcvr/