sonalkr132
commented
7 years ago Open sonalkr132 opened 8 years ago
sonalkr132
commented
7 years ago 
kbrock
commented
1 year ago I noticed this is quite an old conversation. What is the goal of this issue?
Are you trying to determine a game plan? Or looking for help on people to do the leg work? Or just trying to figure out if this is an attack vector/issue that we even care about?
Many of the gems listed above like prime, timeout and JRuby-OpenSSL are from recognizable people. (I just randomly clicked on a few) So mentioning it to them looks like it could quickly remove a few.
Has someone reached out the authors of the conflicting gems where the authors are the same? Are you looking for volunteers for this part of the effort?
The options that I see are:
When looking I also noticed the user name namespace on a few of these gems (saikuro). I remember why we ended up there, but sure wish we could drop a bunch of these. But again, that changes this into a much larger project.
My initial thought was if it is old, just drop the gem.
But clicking on one of the gems on the list, I noticed that it relied upon riot (from 2013) - but reverse dependency on that shows rabl (from 2022). So while riot is "old", it looks like someone is using it. So my initial though on using date to determine relevance is flawed. I think you alluded to this.
We have a wonderful community. Any time I have had a gem that I needed but was rotting, I just reached out to the author and they worked with me to revive it and just take the keys. (I won't pretend that some haven't rotted under my stewardship either)
Feels like many of the entries in this list could handles with a couple of emails. Just curious what the possible action items are so everyone is on the same page
simi
commented
1 year ago @kbrock the list at https://github.com/rubygems/rubygems.org/issues/1356#issuecomment-253784132is outdated, a lot of stdlibs were gemified and properly pushed.
kbrock
commented
1 year ago I can't remember, do the database dumps have the userid list of owners in them? And some form of download information besides counts (like the date of last download)?
feel like grouping the owners together and hitting the popular contributors could solve this. (or maybe it was already solved?)
simi
commented
1 year ago I can't remember, do the database dumps have the userid list of owners in them? And some form of download information besides counts (like the date of last download)?
feel like grouping the owners together and hitting the popular contributors could solve this. (or maybe it was already solved?)
this is the logic behind dump - it exposes only listed tables
Some operating systems may have case insensitive filesystem. Following gems are ordered by number of downloads of their counter part having number of downloads > 100_000. I have excluded gems where owners were same.
As you would go down the list mentioned above, it becomes unclear whether any action is needed at all. For ex: Cases where there has been no active development on either of gems for years.
You can find complete list of 183 gems here.