RubyGems/Bundler maintainer Hiroshi Shibata discusses whether to add a 'cooldown' feature — a waiting period before newly released packages can be installed — as a supply chain security measure. He surveys how other ecosystems (npm, pnpm, Bun, Deno, uv, pip) have already adopted cooldowns, then outlines the pros and cons: cooldowns buy time for security researchers to scan malicious packages, but they also delay legitimate security fixes, create a 'guinea pig' problem if universally adopted, and provide only an illusion of safety without active scanning. The proposed plan is to offer cooldown as an opt-in option in Bundler (via CLI flag, config, and Gemfile syntax), while also pursuing server-side scanning metadata on rubygems.org and sandboxing gem install execution as more technically robust long-term defenses.
Table of contents
TL;DRWhat Is a Cooldown?The LandscapeWhere Does Ruby Stand?What We're ConsideringConclusionNotesSort: