Here is the gem in question: https://rubygems.org/gems/bootstrap-sass/versions/3.2.0.3
Original issue: twbs/bootstrap-sass#1195
This gem is marked as yank but from my testing I can still install it via Ruby gems. I'm not entirely sure that this is not a local caching issue but I'm seeing the same behavior on Heroku.
Yes, we normally only remove gems from the index on yank, not from the backend storage. Because everything should be using the index, the fact that they exist in the backend storage doesn't matter.
We only delete gems from the backend storage in very specific situations.
If it's in your Gemfile.lock
it'll be able to download/install to avoid breaking builds too often. Imagine if Rails block all yanked versions.
I also read in the other thread about the issue where users had complained about cached versions of modules etc. If you however check dependencies based on projects that have Gemfile.lock
to figure out your dependency tree you don't need the gems actually installed.
Accepted the feedback and edited. Apologies for the strong message.
We only delete gems from the backend storage in very specific situations.
3.2.0.3 contains malware, could you please delete it?
Evan's original message was actually incorrect. Since 2015 we do remove the file from the backend storage which makes it impossible to download from RubyGems.org. (This doesn't impact any 3rd party mirrors, which we have no control over.)
In this case, since the gem was not yanked via the normal methods it was yanked incorrectly which left it in an invalid half-yanked state, as you noticed. This has been resolved and the gem should no longer be able to be downloaded.
A follow up question:
Do you still store yanked versions somehow, lets say for research? Or are the CVEs and the Github issue the only sources to get first hand information?
Do you still store yanked versions somehow, lets say for research?
Yes, as mentioned in the blog post the s3 bucket is versioned, but they are not accessible without admin interaction.
Most helpful comment
Evan's original message was actually incorrect. Since 2015 we do remove the file from the backend storage which makes it impossible to download from RubyGems.org. (This doesn't impact any 3rd party mirrors, which we have no control over.)
In this case, since the gem was not yanked via the normal methods it was yanked incorrectly which left it in an invalid half-yanked state, as you noticed. This has been resolved and the gem should no longer be able to be downloaded.