>It kind of feels like this fork is the better-maintained piece of software now.
Maybe, but I feel the value of the index is the storage and bandwidth and not the software itself, isn't it?
Could an index work by just being a search engine for gems, storing the hashes, but pointing to external resources, like GitHub repos, for the download itself?
Is it? Anybody could publish to Rubygems. Baring obviously malicious packages that happened to get noticed by a researcher, what trust were folks placing in Rubygems?
The package repository going rogue is a significant escalation compared to merely having individual malicious packages that go undetected. You can't possibly argue that those two are the same.
To put my cards on the table: RubyGems.org seems plenty trustworthy to me. They seem to be shitty at communication, but locking down production access to systems in light of the state of supply chain attacks in 2025 is the kind of thing that reduces the risk of rogue repo-level activity.
But to your comment: I'm not arguing the same, I'm arguing that the results are the same. If I'm consuming packages from a repo, and I care about the security of the thing I'm running, I need to think about how I know I'm getting legitimate code that does what I expect it to do. One of the risks to that is malicious developers at the package level (either outright malicious or stolen publish credentials). Another is malicious substitution by the package repo. The detection strategies and next steps are different but as a consumer of code, bad code is a risk regardless of who injects it.
Nonsense. The solution to a malicious package is to not use that single package. The solution to a malicious package repository is to abandon that package repository entirely.
Also, you don't secure a package repository through hostile takeovers, and you certainly don't build trust with such an obvious lie. Claiming that the current rubygems.org is in any way trustworthy is utterly absurd.
With this is in place. A ".coop" domain does not signal trustworthiness. It's more like a childish revenge attempt. Don't get me wrong. I think it's a great idea for the original maintainers to begin work on a form. However, they could have chosen a better domain name.
My first-order heuristic is that legitimate websites tend to get one of the top TLDs (.com/.org, maybe .net/.io). In general, why should I trust domain_name.xyz over domain_name.com? There are obvious caveats, e.g. it doesn't matter as much for generic words like "gem" and for personal sites that I don't trust much in the first place. In this case, 3 seconds of critical thinking makes it clear that they have a plausible reason for choosing .coop. But given that much of this controversy is premised on toolchain trust, there's plenty of other domains that seem even more trustworthy to me at first glance, e.g. gem-lib.org, gemcoop.org, stuff like that.
Again, a domain name is pretty minor in the scope of this whole fiasco, and I wouldn't have bothered with bringing up this point, but on balance I agree with it.
Using .coop is actually a costly signal that you are, in fact and in law, a cooperative; and intend to stay one; since non-cooperatives are not allowed to occupy those domains. Dot Org, while it's used by a lot of well known organisations, is an open domain that anyone can register in.
Of course, it's also true that many people won't have the spare time to find that out.
> My first-order heuristic is that legitimate websites tend to get one of the top TLDs (.com/.org, maybe .net/.io)
This is so funny to hear after 18 years in the west coast silicon-valley lead tech industry. All of the app, io, tv, tech, guru, and now ai I've seen and only when it's "coop" does anyone complain.
I'm pretty sure people have been complaining about weird TLDs for as long as I've been on the internet. .guru, .tech, and .app are all equally untrustworthy to me. I don't recall seeing any .tv websites other than twitch. .io and (only recently) .ai are used often enough that it's contextually plausible a legitimate company would use one of those TLDs as their first choice, but if someone linked to chatgpt.ai or chatgpt.io for example, I'd still assume it's a scam.
<quote>legitimate websites tend to get one of the top TLDs</quote> yeah. Sorry. That is unsubstantiated and by no means a good measure of trustworthyness.
Luckily I track my browsing and have some stats I can share from the last 3 years on my non-work PC! Here's a breakdown (by time spent on website):
94.3%: Original 7 TLDs + .io (which is common enough these days that I consider it no less trustworthy than .com).
2.0%: Shortlink TLDs (e.g. .co, .it) that I usually only see when they are clearly associated with one of the TLDs above. Most of the time spent looking at these sites are when I right click -> open image in new tab, e.g. i.redd.it.
0.7%: ccTLDs used as intended (sites associated the country's government, or personal websites that I don't put much trust into regardless of TLD).
0.6%: twitch.tv; well-known enough that I don't have to think about its TLD.
0.4%: .club; from a board game site my friends made me use. I inherently distrust this site regardless of TLD.
0.2%: .wiki and .gg sites that are from a wiki moving away from fandom.
1.8%: Remainder. Mix of things like .app, .xyz, .fun, etc.
Spot-checking a few dozen of my top sites in the last 1.8% shows that most are small/personal sites that I would not place trust into in the first place. Several are also websites like that .club site; garbage that at best are designed to shove ads in my face, and at worst are trying to pose as something official when they are not.
I only found a few websites that are official/authoritative for a substantial community or organization, but don't have one of the top TLDs: twitch.tv, arduino.cc, nouns.wtf, expo.dev, osu.ppy.sh, trackmania.exchange, dev.to, teenage.engineering, minecraft.wiki, *.wiki.gg, stackoverflow.blog, nebula.tv, perplexity.ai, and a few mastodon servers are the only sites in this category that I spent more than 60 seconds on in the last 3 years. Excluding twitch.tv, they combined represent <0.1% of my total browsing.
Thank you for making me look into this, I now trust my heuristic even more!
I view ".coop" quite highly given it is restricted to actual, legally recognized, cooperatives. Its definitionally more meaningful and "trustworthy" than .com or .org
I'd only say it's a real issue if this were a "normie-facing" website. But being a developer tool, we all know that there are legitimate domains other than .com, .org, and .net.
Combining this with something like tangled.sh/bluesky's AT protocol or what forejo is working on in their activitypub federation integration can actually make it genuinely federated as well
Or maybe radicle as well if someone is okay with swapping in a custom software but the hiccups can be too much imo so tangled.sh is the most interesting thing to me right now
What is stopping something like gem.coop to exist with the at protocol/tangled.sh??
Maybe, but I feel the value of the index is the storage and bandwidth and not the software itself, isn't it?
Could an index work by just being a search engine for gems, storing the hashes, but pointing to external resources, like GitHub repos, for the download itself?