[delichon]

> A version whose source does not expose created_at, such as older gem servers, historical entries from before the v2 cutover, or private registries still on the v1 format, is treated as outside the window and stays resolvable.

How is that not an easy exploit to circumvent the cooldown?

[werdnapk]

Most gems in Ruby/Rails projects come from rubygems, so if they were published long ago, any exploits should have already been found hopefully. Any old gems that would attempt to release a new compromised version would now get a created_at timestamp and the cooldown applies.

Unless you can compromise the gem server to overwrite created_at fields, I don't see any exploits here.

Private gem servers are either already trusted (if they're your own) or already under some scrutiny and extra care already being taken (ideally), but this last case applies to very few projects I'm sure.

[tenderlove]

RubyGems.org backfilled older releases with `created_at` fields, so theoretically you could still do the cooldown with very old gems (though I don't know why you would). It's only private / alternative gem servers that may not provide `created_at` fields.

[OptionOfT]

Can you in your own gem depend on gems from another server? Or does it need to be configured on the client?

If not, and the current defacto standard gem server doesn't accept v1 anymore, we're good I suppose?