How RubyGems.org protects OSS infrastructure
16 days ago
- #RubyGems
- #OpenSource
- #Security
- RubyGems.org employs a multi-layered security approach to detect malicious gems, including automated detection, risk scoring, retroactive scanning, and external alerts.
- When a gem is flagged, RubyGems.org follows a verification process involving manual review, removal of confirmed malicious gems, and documentation of actions.
- A recent incident involving credential-stealing gems was proactively handled by RubyGems.org, with all malicious packages removed and accounts terminated.
- RubyGems.org encourages community reporting through email and Slack, emphasizing collaboration to maintain ecosystem security.
- The platform removes about one malicious or spam package weekly, supported by sponsors and volunteer maintainers, and invites companies to contribute through the RubyGems Supporter Program.