[quesera]

Something along those lines, yes. Mirror/archive/caching obviously requires setup and maintenance.

Vendoring gems works well if you (and coworkers) develop and deploy on the same platform.

A minimal approach might be to keep local copies/clones of all gems. If things blow up, you can always build and vendor any missing dependencies, and then redeploy. You'd need to keep a local environment available that matches your deployment env, for building native gems.

GitHub and RubyGems are very reliable, although of course not 100%. It's more common (but still rare!) that an individial gem owner will do something odd, or remove an artifact. Often, you can wait the issue out, or spend a few hours constructing a workaround.

But sometimes you cannot wait. And sometimes you don't get the chance to decide -- your deployed and running code will suddenly fail because an application in AWS or GCE needs to scale up with new instances, or your existing instances auto-update, or otherwise replace themselves.

If that would be a serious problem, it makes sense to invest time into reducing third-party deployment dependencies.