Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Should I be able to download a gem marked as yanked? (bootstrap-sass 3.2.0.3) #1941

Closed
uri opened this issue Apr 2, 2019 · 7 comments
Closed

Should I be able to download a gem marked as yanked? (bootstrap-sass 3.2.0.3) #1941

uri opened this issue Apr 2, 2019 · 7 comments
Assignees
@dwradcliffe

Comments

@uri
Copy link

uri commented Apr 2, 2019

Here is the gem in question: https://rubygems.org/gems/bootstrap-sass/versions/3.2.0.3

Original issue: twbs/bootstrap-sass#1195

This gem is marked as yank but from my testing I can still install it via Ruby gems. I'm not entirely sure that this is not a local caching issue but I'm seeing the same behavior on Heroku.
@evanphx
Copy link
Member

evanphx commented Apr 2, 2019

Yes, we normally only remove gems from the index on yank, not from the backend storage. Because everything should be using the index, the fact that they exist in the backend storage doesn't matter.

We only delete gems from the backend storage in very specific situations.

@evanphx evanphx closed this as completed Apr 2, 2019
@dwradcliffe dwradcliffe reopened this Apr 3, 2019
@glebm glebm mentioned this issue Apr 3, 2019
Open
@D-system
Copy link

D-system commented Apr 4, 2019

If it's in your Gemfile.lock it'll be able to download/install to avoid breaking builds too often. Imagine if Rails block all yanked versions.

@mdesantis mdesantis mentioned this issue Apr 4, 2019
Closed
@lirantal
Copy link

lirantal commented Apr 4, 2019
edited
Loading

I also read in the other thread about the issue where users had complained about cached versions of modules etc. If you however check dependencies based on projects that have Gemfile.lock to figure out your dependency tree you don't need the gems actually installed.

Accepted the feedback and edited. Apologies for the strong message.

@glebm
Copy link

glebm commented Apr 4, 2019

We only delete gems from the backend storage in very specific situations.

3.2.0.3 contains malware, could you please delete it?

@dwradcliffe dwradcliffe assigned dwradcliffe and unassigned evanphx Apr 4, 2019
@dwradcliffe
Copy link
Member

Evan's original message was actually incorrect. Since 2015 we do remove the file from the backend storage which makes it impossible to download from RubyGems.org. (This doesn't impact any 3rd party mirrors, which we have no control over.)

In this case, since the gem was not yanked via the normal methods it was yanked incorrectly which left it in an invalid half-yanked state, as you noticed. This has been resolved and the gem should no longer be able to be downloaded.

@schmijos
Copy link

schmijos commented Apr 8, 2019

A follow up question:
Do you still store yanked versions somehow, lets say for research? Or are the CVEs and the Github issue the only sources to get first hand information?

@dwradcliffe
Copy link
Member

Do you still store yanked versions somehow, lets say for research?

Yes, as mentioned in the blog post the s3 bucket is versioned, but they are not accessible without admin interaction.

@dependabot dependabot bot mentioned this issue Oct 11, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dwradcliffe dwradcliffe

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@evanphx @dwradcliffe @glebm @schmijos @lirantal @uri @D-system