Okay. A series of very reasonable inclinations, which were not absurd in any way whatsoever, led me to eventually wonder whether I could make a gem whose name began with a leading dot. For example, can I make a gem named .omghi? Surely no.
Oh!
Uhhhhhh… heh…
Yes.
Yes, I can.
Whoops! 🤷♀️
After several hours of playing with the implications, I had a wealth of amusing discoveries. For example, I couldn't require its files because the leading dot made it hidden. lol, oh how amused I was in that moment! 😖
One last curiousity led me to publish it.
And oh! What fun!
It actually published successfully!
And it installed successfully!
And it… did not… uninstall successfully!
lolol
fuck 😖
I'll ignore the mounting need to apologize and just keep an eye on it. Maybe it's totally fine? Maybe nothing will happen with it 🤞
…soooooooo 😬
yeah no 😖
After being published for < 2 days, the latest version has 1k downloads.
For comparison, seeing_is_believing, a legitimate gem that I've been maintaining for 6 years, has only 381 downloads over the last month. And that's a legitimate gem that I use every day, many people know about it, and if you're the kind of person who is reading this, then you're probably the kind of person who would massively benefit from using it! (eg in place of your REPL, and absolutely in place of whatever shitty hack you're using to embed outputs into your code samples… copy & paste #amirite)
Anyway, this is maybe a bug. I can definitely make a report that makes it sound like a bug: On this line (at the very least, my browser completed to it, so it was probably that one), the submitted pattern ignores hidden files (files whose names begin with a leading dot) This causes Rubygems to not realize it's installed the gem before (it's searching for *.gemspec, which ignores hidden files, so .omghi-2.gemspec is not returned by the dir globbing). Hence, you can install it. And it has certainly been installed (eg gem contents .omghi works). But when you go to uninstall it, it doesn't realize it's installed.
Also, some part of my brain 😇 worries that it could be a security vulnerability. I can't think of how that could happen, but still, it feels like the sort of mechanic that could be exploited.
But!!!!
Just so everyone here knows…
There's a second part of my brain whispering "publish 100,000 versions until you're the most downloaded gem in all of Rubygems" 😈
And, TBH, I am, for sure, 100%, not …listening to that second part of my brain
🤞
Here are my current environment details:
I will abide by the code of conduct.
Okay. A series of very reasonable inclinations, which were not absurd in any way whatsoever, led me to eventually wonder whether I could make a gem whose name began with a leading dot. For example, can I make a gem named
.omghi? Surely no.Oh!
Uhhhhhh… heh…
Yes.
Yes, I can.
Whoops! 🤷♀️
After several hours of playing with the implications, I had a wealth of amusing discoveries. For example, I couldn't require its files because the leading dot made it hidden. lol, oh how amused I was in that moment! 😖
One last curiousity led me to publish it.
And oh! What fun!
It actually published successfully!
And it installed successfully!
And it… did not… uninstall successfully!
lolol
fuck 😖
I'll ignore the mounting need to apologize and just keep an eye on it. Maybe it's totally fine? Maybe nothing will happen with it 🤞
…soooooooo 😬
yeah no 😖
After being published for < 2 days, the latest version has 1k downloads.
For comparison,
seeing_is_believing, a legitimate gem that I've been maintaining for 6 years, has only 381 downloads over the last month. And that's a legitimate gem that I use every day, many people know about it, and if you're the kind of person who is reading this, then you're probably the kind of person who would massively benefit from using it! (eg in place of your REPL, and absolutely in place of whatever shitty hack you're using to embed outputs into your code samples… copy & paste #amirite)Anyway, this is maybe a bug. I can definitely make a report that makes it sound like a bug: On this line (at the very least, my browser completed to it, so it was probably that one), the submitted pattern ignores hidden files (files whose names begin with a leading dot) This causes Rubygems to not realize it's installed the gem before (it's searching for
*.gemspec, which ignores hidden files, so.omghi-2.gemspecis not returned by the dir globbing). Hence, you can install it. And it has certainly been installed (eggem contents .omghiworks). But when you go to uninstall it, it doesn't realize it's installed.Also, some part of my brain 😇 worries that it could be a security vulnerability. I can't think of how that could happen, but still, it feels like the sort of mechanic that could be exploited.
But!!!!
Just so everyone here knows…
There's a second part of my brain whispering "publish 100,000 versions until you're the most downloaded gem in all of Rubygems" 😈
And, TBH, I am, for sure, 100%, not …listening to that second part of my brain
🤞
Here are my current environment details:
I will abide by the code of conduct.