Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Should I be able to download a gem marked as yanked? (bootstrap-sass 3.2.0.3) #1941

Closed
uri opened this issue Apr 2, 2019 · 7 comments

Comments

7 participants
@uri
Copy link

commented Apr 2, 2019

Here is the gem in question: https://rubygems.org/gems/bootstrap-sass/versions/3.2.0.3

Original issue: twbs/bootstrap-sass#1195

This gem is marked as yank but from my testing I can still install it via Ruby gems. I'm not entirely sure that this is not a local caching issue but I'm seeing the same behavior on Heroku.

@evanphx

This comment has been minimized.

Copy link
Member

commented Apr 2, 2019

Yes, we normally only remove gems from the index on yank, not from the backend storage. Because everything should be using the index, the fact that they exist in the backend storage doesn't matter.

We only delete gems from the backend storage in very specific situations.

@evanphx evanphx closed this Apr 2, 2019

@dwradcliffe dwradcliffe reopened this Apr 3, 2019

@glebm glebm referenced this issue Apr 3, 2019

Open

3.2.0.3? #1195

@D-system

This comment has been minimized.

Copy link

commented Apr 4, 2019

If it's in your Gemfile.lock it'll be able to download/install to avoid breaking builds too often. Imagine if Rails block all yanked versions.

@lirantal

This comment has been minimized.

Copy link

commented Apr 4, 2019

I also read in the other thread about the issue where users had complained about cached versions of modules etc. If you however check dependencies based on projects that have Gemfile.lock to figure out your dependency tree you don't need the gems actually installed.

Accepted the feedback and edited. Apologies for the strong message.

@glebm

This comment has been minimized.

Copy link

commented Apr 4, 2019

We only delete gems from the backend storage in very specific situations.

3.2.0.3 contains malware, could you please delete it?

@dwradcliffe dwradcliffe assigned dwradcliffe and unassigned evanphx Apr 4, 2019

@dwradcliffe

This comment has been minimized.

Copy link
Member

commented Apr 4, 2019

Evan's original message was actually incorrect. Since 2015 we do remove the file from the backend storage which makes it impossible to download from RubyGems.org. (This doesn't impact any 3rd party mirrors, which we have no control over.)

In this case, since the gem was not yanked via the normal methods it was yanked incorrectly which left it in an invalid half-yanked state, as you noticed. This has been resolved and the gem should no longer be able to be downloaded.

@dwradcliffe dwradcliffe closed this Apr 4, 2019

@schmijos

This comment has been minimized.

Copy link

commented Apr 8, 2019

A follow up question:
Do you still store yanked versions somehow, lets say for research? Or are the CVEs and the Github issue the only sources to get first hand information?

@dwradcliffe

This comment has been minimized.

Copy link
Member

commented Apr 9, 2019

Do you still store yanked versions somehow, lets say for research?

Yes, as mentioned in the blog post the s3 bucket is versioned, but they are not accessible without admin interaction.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.