If supply chain integrity is the issue specifically for Shopify, couldn’t they run their own private, internally facing gem repository and whitelist everything that goes there? It’s not a requirement to use the public rubygems.
They probably thought it would be easier to takeover rubygems than ensure every dev and every machine for every possible ruby tool could be and is pointed at the internal gem repository.
Let's be paranoid for a moment. What if there's a supply side attack on a gem used by Homebrew. That's basically installed on every dev machine, auto-updates automatically/silently, could have sudo, that no one would care or even know how to point at a private gem repository.
I too am scratching my head at this. If the problem is the outside community could be a risk, just do not drink from the firehose. Have processes in place to slowly vet and bring the outside world indoors.
Then again, that is not a very web scale suggestion.
That's not what I said. I was responding to the parent comment's statement that "I’m assuming there’s a ton of reputational risk in this move" by noting that, in relative terms, this likely isn't something people are paying attention to outside a very, very narrow universe.
kenhwang|5 months ago
Let's be paranoid for a moment. What if there's a supply side attack on a gem used by Homebrew. That's basically installed on every dev machine, auto-updates automatically/silently, could have sudo, that no one would care or even know how to point at a private gem repository.
yakshaving_jgt|5 months ago
3eb7988a1663|5 months ago
Then again, that is not a very web scale suggestion.
hobs|5 months ago
flkiwi|5 months ago