A few months ago, we have arrived at the conclusion that the design and the underlying technology behind our dashboard no longer fits in the future of Gemfury. Since then, we’ve worked with many of you, our customers, to develop a better way to manage your packages. Today, we’re happy to share the product of this collaboration – the new Gemfury Dashboard.
After evaluating Gemfury’s processing of RubyGems, we feel it is important to share our understanding and bring awareness to possible security issues when parsing untrusted YAML input.
On January 30, 2013, the community package server RubyGems.org was compromised with a rogue code execution vulnerability. The all-volunteer team sprung to action and in the following 53 hours yanked the expoit, patched the vulnerability, verified all the existing gems, and migrated the service to AWS. As of today, the service has been restored and deemed safe for use.
…Today we’re officially launching Gemfury to finally bring all the conveniences of RubyGems to your private Gems. What started as an internal collection of scripts has finally turned into a “real thing.” We love using it, and hope that you will too.
