Rubygems.org: Should I be able to download a gem marked as yanked? (bootstrap-sass 3.2.0.3)

Created on 2 Apr 2019  路  7Comments  路  Source: rubygems/rubygems.org

Here is the gem in question: https://rubygems.org/gems/bootstrap-sass/versions/3.2.0.3

Original issue: twbs/bootstrap-sass#1195

This gem is marked as yank but from my testing I can still install it via Ruby gems. I'm not entirely sure that this is not a local caching issue but I'm seeing the same behavior on Heroku.

Most helpful comment

Evan's original message was actually incorrect. Since 2015 we do remove the file from the backend storage which makes it impossible to download from RubyGems.org. (This doesn't impact any 3rd party mirrors, which we have no control over.)

In this case, since the gem was not yanked via the normal methods it was yanked incorrectly which left it in an invalid half-yanked state, as you noticed. This has been resolved and the gem should no longer be able to be downloaded.

All 7 comments

Yes, we normally only remove gems from the index on yank, not from the backend storage. Because everything should be using the index, the fact that they exist in the backend storage doesn't matter.

We only delete gems from the backend storage in very specific situations.

If it's in your Gemfile.lock it'll be able to download/install to avoid breaking builds too often. Imagine if Rails block all yanked versions.

I also read in the other thread about the issue where users had complained about cached versions of modules etc. If you however check dependencies based on projects that have Gemfile.lock to figure out your dependency tree you don't need the gems actually installed.

Accepted the feedback and edited. Apologies for the strong message.

We only delete gems from the backend storage in very specific situations.

3.2.0.3 contains malware, could you please delete it?

Evan's original message was actually incorrect. Since 2015 we do remove the file from the backend storage which makes it impossible to download from RubyGems.org. (This doesn't impact any 3rd party mirrors, which we have no control over.)

In this case, since the gem was not yanked via the normal methods it was yanked incorrectly which left it in an invalid half-yanked state, as you noticed. This has been resolved and the gem should no longer be able to be downloaded.

A follow up question:
Do you still store yanked versions somehow, lets say for research? Or are the CVEs and the Github issue the only sources to get first hand information?

Do you still store yanked versions somehow, lets say for research?

Yes, as mentioned in the blog post the s3 bucket is versioned, but they are not accessible without admin interaction.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

nicolasleger picture nicolasleger  路  10Comments

grosser picture grosser  路  6Comments

suriyaa picture suriyaa  路  7Comments

cjyclaire picture cjyclaire  路  8Comments

krithika369 picture krithika369  路  8Comments