[jrochkind1]

Looking at the ruby docs, my interpretation is that if a gem is published only on github registry, there's no good way to use it as an indirect dependency (no good way for a gem to list it as a dependency) -- any app using such a thing would have to know the list of all of these indirect dependencies on github registry, and list them individually in the top-level Gemfile, along with their correct github source.

This seems to limit the utility for ruby. I'm not sure if other supported platforms have similar issues?

You could already do a lot of what github registry for ruby does by using an existing feature where you could already point to a git repo (not just GH) in your `Gemfile`. What this adds is just the ability to resolve multiple versions from github using ordinary rubygems resolution. The existing feature forced you to manually specify a tag (hoping there was a predictable tag for a version) or SHA, or use whatever is on master HEAD.

[tehbeard]

Other platforms (maven/java comes to mind) benefit somewhat due to the compiled nature of artifacts.

The immutability of the packages is also handy as you pointed out by the hope and a prayer that a tag stays static.

Is there not a global config for rubygems that would specify a list of registries to search for a package instead of having to add them to each project?

[jrochkind1]

The way they have set things up, every github account/organization (the first thing after a slash) is it's own separate 'source' to rubygems. (I am sure they have done this because it would be inconvenient to integrate with rubygems/bundler any other way).

So you'd still need to add a separate source for each dependency hosted on github to your own project Gemfile. Including for each indirect dependency, knowing which indirect dependencies exist that need a github repo source.

If you could list this for the entire project... it'd probably be a performance issue as rubygems/bundler check every repo source you list for every dependency (including every indirect dependency; a Rails app has hundreds, still an order of magnitude or two less than a react JS project heh).

Even if you could only list "github's ruby registry" once (per project? for your account? and keep in mind this is hypothetical, you can't), it would still mean any gem expressing a dependency on another gem hosted on github would have to include in it's instructions "oh, if you use this, you need to manually make sure to add github to your sources. Or you'll get an error that says some gem you've never heard of can't be found, and have no idea how to fix it." Unless it's a bid to get _everyone_ to do that, and basically make github ruby registry a standard part of the ecosystem that everyone just always adds to every project.

I don't think there's enough/any value added by the github ruby registry to get the ecosystem to shift like that. It's unclear what it does that the 'standard' rubygems.org gem source doesn't do already (unless rubygems.org can't solve their recent severe compromised account security problems... but as it is, with the indirect dependency problem, I think github registry will be too painful to use even if you'd like to to escape rubygems.org security issues).

https://help.github.com/en/articles/configuring-rubygems-for...