undefined | Better HN

0 pointsmijoharas5mo ago0 comments

I think I basically agree with this, but my thoughts are more on which org is better placed now to respond to things like the recent supply chain attacks (ref for the specific recent ruby one[0][1]).

I'm unsure on who is better placed to handle that stuff now. My view is that the people that were doing that are now with gem.coop, but rubygems still has the infra (i.e. you'd email security@rubygems.org still for now).

I'm unsure about what to think about longer term (my personal approach is currently "wait and see").

Similarly, I'm perfectly happy with bundler for now, but if `rv` turns out to be like `uv`, I'd happily switch (drop-in replacement, but faster/some better features).

[0] https://www.bleepingcomputer.com/news/security/60-malicious-...

[1] https://blog.rubygems.org/2025/08/08/malicious-gems-removal....

0 comments

knowitnone35mo ago

Socket.dev states "Since at least March 2023". RubyGems says "Our team first detected this activity on July 20th". This attack has ran for almost 5 months undetected. I wouldn't feel reassured at all.

j / k navigate · click thread line to collapse