I'm Hiroshi Shibata (hsbt), a Ruby committer and the maintainer of RubyGems and Bundler.          ... Tagged with ruby, security, supplychainsecurity, packaging.

Dev.to is a community platform for developers, offering resources, discussions, and networking opportunities to empower individuals in their coding journey. Developers can learn new programming languages, frameworks, and tools, engage in discussions on best practices, and share their experiences with fellow developers to enhance their skills and grow their professional network.

RubyGems/Bundler maintainer Hiroshi Shibata discusses whether to add a 'cooldown' feature — a waiting period before newly released packages can be installed — as a supply chain security measure. He surveys how other ecosystems (npm, pnpm, Bun, Deno, uv, pip) have already adopted cooldowns, then outlines the pros and cons: cooldowns buy time for security researchers to scan malicious packages, but they also delay legitimate security fixes, create a 'guinea pig' problem if universally adopted, and provide only an illusion of safety without active scanning. The proposed plan is to offer cooldown as an opt-in option in Bundler (via CLI flag, config, and Gemfile syntax), while also pursuing server-side scanning metadata on rubygems.org and sandboxing gem install execution as more technically robust long-term defenses.

Should RubyGems/Bundler Have a Cooldown Feature?