| ▲ | nevinera 4 days ago | |||||||
I think you're right, but I suspect the root here is one of legal liability - if rubycentral is operating as a nonprofit that hosts _a recurring attack vector on other companies_, they'll have legal obligations to secure that service against those attacks. I assume they are continuously deploying out of that repository, and took the simplest route to controlling the attack vectors? I'm not sure how anyone familiar with open-source communities would fail to predict the backlash though. They really should have forked the repository and switched the deployments over to their downstream fork (if I'm right about the root cause here). (I'm mostly thinking in terms of supply-chain attacks, like this one: https://blog.rubygems.org/2025/08/25/rubygems-security-respo...) | ||||||||
| ▲ | woodruffw 4 days ago | parent | next [-] | |||||||
That would be a pretty broad assumption of liability: I'm not very involved in Ruby but I am involved in Python packaging, and to my knowledge there's been no similar discussion around the PSF's keys-to-the-code control over PyPI (which is in a similar position in terms of supply chain attack vectors). In other words: that argument is interesting, but it feels strained to me :-) -- I don't think RubyGems or Ruby Central is actually legally liable in this way (or if they are, it suggests a failure of clarity in their EULA/TOS). | ||||||||
| ||||||||
| ▲ | blibble 4 days ago | parent | prev [-] | |||||||
there is no contract to assign liability and I doubt you could ever get negligence to stick, given you are downloading code from some website and running it, on your own accord, entirely unprompted (but IANAL) | ||||||||