Hacker News new | ask | show | jobs
by rlpb 4884 days ago
You do all deploy from your own cache of all the gems you depend on, right? No? Why not?
2 comments
josephlord 4884 days ago
That only helps you with availability though doesn't it? You are just as likely to have pulled backdoored files and cached them as to get backdoored files directly. Also at some point you need to update.

So I think it only helps if you are likely to need to deploy additional/alternative servers of the same versions. For significant deployed services this makes sense but if you are only in development/testing or using a service like Heroku it doesn't really help you very much does it?

link
rlpb 4884 days ago
> You are just as likely to have pulled backdoored files and cached them as to get backdoored files directly.

At least your deployments will be consistent. This is a great starting point. Now all you have to do is check your cache against the backdoored version, and you instantly and verifiably know where your deployment stands.

link
purephase 4884 days ago
I'd love to. Any helpful guides on how to proceed?
link
squidsoup 4884 days ago 

  bundle package
will cache all of your deps in vendor/cache. You can install from this cache using:

  bundle install --local
link
steveklabnik 4884 days ago
I just wrote a blog post: http://words.steveklabnik.com/how-to-not-rely-on-rubygemsorg...
link
squidsoup 4884 days ago
Wasn't aware of bundle --deployment, that's very helpful thank you steve.
link
steveklabnik 4884 days ago
Any time! Not enough people are.
link