Ruby gems are still not safe to use

In the light of the recent security compromise the community has been looking at ways to make and Ruby gems in general more secure. The project is still ongoing and feel free to help them out on #rubygems on Freenode, but here is a highlight of what I think are some of the main issues.

Some of the issues highlighted here are taken from Ben Smith’s enlightening (but scary) talk at Aloha Ruby Conference.


I am not a security expert. I am just a Ruby developer and a gem author that is worried about the current state of the Ruby gems ecosystem. I also am worried that the next negative news around Ruby will involve the problems described below.

What are Ruby gems and what is

For those not familiar, is the most popular repository of “gems” for the Ruby language. Gems are libraries made up out of Ruby (and optionally C) code and can be uploaded by anyone who registered for an account. currently hosts 50,685 gems which have been downloaded 1,259,533,358 times since July 2009. Ruby gems are not only hosted on, anyone can run their own repository but is definitely the most used one.

Current state

Some parts of the current infrastructure are worrying.

Proposals for change

How can I help?

Did I miss anything?

Please let me know and I’ll add it to the list.

comments powered by Disqus