Eric Hodel on 07 Feb, 2013 04:41 AM
I've added mkristian who pushed this gem to this discussion.
We have not yanked a gem for these reasons before so I don't
want to discuss this properly.
Modern RubyGems suggests other names when you typo so we don't
need to worry about redirects for gem install.
Since we now have typo suggestions in RubyGems I think the
reasons for releasing this gem are no longer valid.
I'm concerned that active_support is confusingly similar to
activesupport. It infringes on the real gem's namespace.
I'm concerned that the gem is unmaintained. I don't think a
maintained version is particularly better, especially when the real
gem is very popular (near 20 million downloads, near 800k for its
current version) and a security release in activesupport could
cause users to be out of date, even if only by a few critical
since my reply over the webgui did not reach: the reason for me to add
that "redirect" gem was that
https://rubygems.org/gems/rails_config/versions/0.1.0 depends on it.
for maven to install rails_config without explicit version works only
if the dependencies can be resolved.
on 07 Feb, 2013 05:04 PM
Kristian, thanks for the quick response.
My guess is that in most cases, the authors would agree to
remove the gem since we now have typo suggestions. However, should
we black list some gem names so potential attackers wouldn't use
common typos to potentially make users' machines vulnerable?
A conversation has been started with the RubyGems.org staff to resolve this discussion.