Cursed Bundler: Using go get to install Ruby Gems
4 months ago
- #package-management
- #ruby
- #go
- Ruby can use Go's module fetcher as a transport layer by setting GOPATH to a Ruby load path.
- Go's import path convention is self-describing, containing hosting domain, org, and repo, unlike centralized package managers.
- Go uses proxy.golang.org and sum.golang.org for caching and cryptographic hashing, ensuring integrity and auditability.
- Ruby gems can leverage Go's infrastructure by adding a go.mod file, bypassing RubyGems for better supply chain integrity.
- Dependency resolution in this setup would mirror Bundler's logic but use Go's fetching and integrity checks.
- Go's Minimal Version Selection (MVS) ensures predictability, unlike Bundler's preference for the latest version.
- Native extensions in Ruby gems are a limitation since Go expects source or pre-compiled binaries.
- Deno's attempt at URL imports faced similar trade-offs as Go's approach, leading to a retreat to a traditional registry.
- Self-describing paths eliminate registry lookups but are verbose, while short names are ergonomic but prone to squatting.
- The thought experiment suggests that package managers could share a content-addressed, transparency-logged distribution layer.
- Go's module system is accidentally universal, logging hashes of any content, including Ruby files.
- The experiment highlights the fundamental components of a package manager and questions which could be shared across ecosystems.