I see your comments on every Ruby-related thread and you sound like a broken record.

Many of us Ruby-users see the problems in a similar way and try to fix them. It's a learning process and it happens right now. The ruby community is also not an uniform blob. We are not 37signals and we are not the rubygems team. Many of us disagree with some decisions made at these places. Most of us also use other languages and are well aware of the trade-offs that Ruby implies.

This is all worth discussing and the specific problems are worth fixing. The rubygems-team happens to be working on their problem, which is a hard problem, right now; https://gist.github.com/4696144

Your mindless bashing on every Ruby HN-thread contributes nothing. Please use your time for something more productive, e.g. you could go to your preferred language community and help them fix their security problems, which they also have plenty of.

Ok, serious question: In which ways is rubygems less safe than .deb packages, .rpms, portfiles or ebuilds, python eggs, jars or composer files? All of those are mechanisms to distribute and deploy code. All of those suffer from the same basic vulnerability: They ship code that gets executed. If that code gets compromised, you have a viable attack. Debian saw its developer repositories compromised at least in 2006 [1] and back then, we had the same problem: In the beginning nobody was sure whether the package repositories had been attacked.

There is one critical difference between OS package repos and the programming language repos: For an OS package repo, signing is mandatory. Programming language repos allow that, but don't enforce it. Python is a little ahead here, but this is nothing that can't be fixed. I actually see that gem signing will be mandatory in the foreseeable future.

[1] http://www.debian-administration.org/articles/417

Yeah, see, you can't put the name calling aside. That's what i'm telling you.

Regardless of the merits of a discussion regarding security, open source software, and the ruby community, it's clear that you have an axe to grind, and are not participating in this conversation in a constructive manner.

There is no point in engaging you in a discussion about Ruby security, because you just want people to stop using Ruby. Again, that's your prerogative, but don't try to dress it up as your overwhelming concern for security.

The practical matter is that folks are going to continue using Ruby with 100% certainty for the short term.

So if you were actually interested in security, rather than trolling or gloating, you could actually comment on the technical matters under discussion, instead of just telling people "stop using ruby" and that the "proper fixing of these issues would go against everything that the Ruby community stands for."

Right, so it's perfectly possible to be both right, and an asshole.

I don't begrudge people being right (although, I also don't happen to think that Mr. Potato there is totally correct). I do however have a problem with people being jerks.

Moreover, being right does not give someone license to be a jerk either.

-----------------------------

As for the substance, yeah I do think there are ways to secure Ruby gems better, and I think that given the way the Ruby community is organized (since it's not a monolith), there are paths forward that can be organized and implemented by smart and interested rubyists, and those paths can and will be adopted by the bulk of developers who aren't as engaged in the Ruby ecosystem.