2013: What a Year!
Funny how time flies when you do what you love. Here at Gemfury, 2013 started out a bit rough, but has finished as another outstanding year. Scrolling back through the big announcements doesn’t give enough insight into all the other hard work we’ve dedicated this year to delighting our customers and community. Today is a good day to sum up what has kept us busy.
Organizations: Gemfury Goes to Work
Not so long ago, Gemfury started out as a simple solution to a single developer’s problem. Since then the service has grown to be an invaluable tool in both our team’s and others’ toolkits. Today, we are introducing Organizations - a growing set of improvements that make Gemfury better for team and business use.
Your team meets here
By creating an Organization account, you will decouple your team’s code from any individual member. All the packages, billing, ownership, and access will be centralized and controlled within your new Organization account. Furthermore, unlike Personal accounts, you will no longer be compelled to share your password to share administrative duties - an Organization can be administered by one or more owners just by switching the context of your new Dashboard.
Introducing Your New Dashboard
A few months ago, we have arrived at the conclusion that the design and the underlying technology behind our dashboard no longer fits in the future of Gemfury. Since then, we’ve worked with many of you, our customers, to develop a better way to manage your packages. Today, we’re happy to share the product of this collaboration — the new Gemfury Dashboard.
Version Badge for Python and more
Although Gemfury Package Repo is our main vocation, we believe that it’s part of our mission to give back to the hacker community through code contribution, guides, and value-add services. So while we are putting the final touches on some major updates to Gemfury, today, I’d like to note a couple of recent improvements that we have made to the Version Badge service.
Version Badge for NPM Modules
Since the original announcement two months ago, hundreds of package owners have installed the Version Badge, helping thousands of developers every day to quickly identify and find the installable package associated with a Github repo or a project webpage. Among many others, some notable projects are Devise, CanCan, Celluloid, and Slim.
Today, we are happy to introduce Version Badge for NPM modules.
Unleash the Fury.io
Over the course of the last few months, we have been carefully extending Gemfury for multi-user and multi-language use. Today, we would like to announce two big changes to the way you download and install your packages.
RubyGems.org Vulnerability Explained
After evaluating Gemfury’s processing of RubyGems, we feel it is important to share our understanding and bring awareness to possible security issues when parsing untrusted YAML input.
On January 30, 2013, the community package server RubyGems.org was compromised with a rogue code execution vulnerability. The all-volunteer team sprung to action and in the following 53 hours yanked the expoit, patched the vulnerability, verified all the existing gems, and migrated the service to AWS. As of today, the service has been restored and deemed safe for use.
Important: This vulnerability came from misuse of a standard YAML library and might not be specific to just RubyGems.org. Many applications depend on this library and are potentially vulnerable to a similar exploit if exposed to untrusted YAML input — please take this opportunity to audit and secure your own applications.