Add per-gem flag to stop linking to .gem files

[indirect]

Is your feature request related to a problem?

Yes. As described at length in https://github.com/rapid7/metasploit-payloads/issues/650, the metasploit-payloads gem has been flagged by the Google Safe Browsing team as malware. This causes some automated tools to list rubygems.org as "may contain malware", and inserts a giant red banner in Chrome, Safari, and Firefox on the pages that link to any .gem downloads. The exact list of blocked/warned pages is copied below.

Describe the solution you'd like

I propose that we add a per-gem flag to remove the link tags to download each .gem file. This should not disrupt any actual users, who are installing the gems via gem install or bundle install, but it will (hopefully) remove the giant red interstitial warnings. It will not, sadly, clear the "may contain malware" flag on rubygems.org, because we would continue to host the actual .gem files even if we aren't linking to them anymore.

Describe alternatives you've considered

1. We could do nothing. It's probably fine to do nothing, although it would continue to show (inaccurate) malware warnings in major browsers when you visit any HTML pages about the metasploit-payloads gem.
2. We could remove the metasploit-payloads gem from rubygems.org. This seems unfair to Rapid7 and the security research community, as well as factually inaccurate--the gem contains code for security research purposes that you could use to harm a computer, but it will not itself harm your computer to download and unpack it, so it is not malware.

Additional context

According to the Google Search Console, the current list of supposed "malware" files is:

https://rubygems.org/downloads/metasploit-payloads-2.0.105.gem
https://rubygems.org/downloads/metasploit-payloads-2.0.109.gem
https://rubygems.org/downloads/metasploit-payloads-2.0.112.gem
https://rubygems.org/downloads/metasploit-payloads-2.0.113.gem
https://rubygems.org/downloads/metasploit-payloads-2.0.114.gem
https://rubygems.org/downloads/metasploit-payloads-2.0.118.gem
https://rubygems.org/downloads/metasploit-payloads-2.0.121.gem
https://rubygems.org/downloads/metasploit-payloads-2.0.122.gem
https://rubygems.org/downloads/metasploit-payloads-2.0.124.gem
https://rubygems.org/downloads/metasploit-payloads-2.0.130.gem
https://rubygems.org/downloads/metasploit-payloads-2.0.133.gem
https://rubygems.org/downloads/metasploit-payloads-2.0.134.gem
https://rubygems.org/downloads/metasploit-payloads-2.0.136.gem
https://rubygems.org/downloads/metasploit-payloads-2.0.137.gem
https://rubygems.org/downloads/metasploit-payloads-2.0.138.gem
https://rubygems.org/downloads/metasploit-payloads-2.0.139.gem
https://rubygems.org/downloads/metasploit-payloads-2.0.140.gem
https://rubygems.org/downloads/metasploit-payloads-2.0.142.gem
https://rubygems.org/downloads/metasploit-payloads-2.0.143.gem
https://rubygems.org/downloads/metasploit-payloads-2.0.145.gem

The list of pages that are being flagged for linking to the above files are:

http://rubygems.org/gems/metasploit-payloads
http://rubygems.org/gems/metasploit-payloads/
https://rubygems.org/gems/metasploit-payloads/versions/2.0.105
https://rubygems.org/gems/metasploit-payloads/versions/2.0.109
https://rubygems.org/gems/metasploit-payloads/versions/2.0.110
https://rubygems.org/gems/metasploit-payloads/versions/2.0.112
https://rubygems.org/gems/metasploit-payloads/versions/2.0.113
https://rubygems.org/gems/metasploit-payloads/versions/2.0.114
https://rubygems.org/gems/metasploit-payloads/versions/2.0.118
https://rubygems.org/gems/metasploit-payloads/versions/2.0.120
https://rubygems.org/gems/metasploit-payloads/versions/2.0.121
https://rubygems.org/gems/metasploit-payloads/versions/2.0.122
https://rubygems.org/gems/metasploit-payloads/versions/2.0.123
https://rubygems.org/gems/metasploit-payloads/versions/2.0.124
https://rubygems.org/gems/metasploit-payloads/versions/2.0.125
https://rubygems.org/gems/metasploit-payloads/versions/2.0.128
https://rubygems.org/gems/metasploit-payloads/versions/2.0.130
https://rubygems.org/gems/metasploit-payloads/versions/2.0.131
https://rubygems.org/gems/metasploit-payloads/versions/2.0.132
https://rubygems.org/gems/metasploit-payloads/versions/2.0.133
https://rubygems.org/gems/metasploit-payloads/versions/2.0.134
https://rubygems.org/gems/metasploit-payloads/versions/2.0.136
https://rubygems.org/gems/metasploit-payloads/versions/2.0.137
https://rubygems.org/gems/metasploit-payloads/versions/2.0.138
https://rubygems.org/gems/metasploit-payloads/versions/2.0.139
https://rubygems.org/gems/metasploit-payloads/versions/2.0.140
https://rubygems.org/gems/metasploit-payloads/versions/2.0.142
https://rubygems.org/gems/metasploit-payloads/versions/2.0.143
https://rubygems.org/gems/metasploit-payloads/versions/2.0.145

[simi]

I can implement this @indirect if welcomed, but it would be fair to make it transparent to users visiting that page and I would like to propose this only as a temporary solution for now, not accepting the fact that foreign party can control what content is safe and could be linked on rubygems.org. In theory, anyone can push a gem with metadata linking to any of those gem paths and create "harmful" page today.

[indirect]

Yes, I think that's fine. Ultimately, we would like to be able to convince the Safe Browsing team to stop marking security research as malware.

[rubyFeedback]

Seems reasonable.