« All posts

Bağımlılıklar Neden Doğrudan VCS'den Çekilmeli: Go vs RubyGems

Go modüllerinin VCS tabanlı bağımlılık modeli ile RubyGems/npm'in paket yayınlama modeli karşılaştırılıyor; tedarik zinciri güvenliği ve denetim kolaylığı ele alınıyor.

The author, having recently switched from Go to Ruby at work, contrasts how the two ecosystems handle dependencies. Go fetches packages directly from VCS via URLs, with go.mod serving as both dependency manifest and lock file, backed by hash verification through sum.golang.org—making audits as simple as running git log -p over the diff.

RubyGems, npm, and PyPI instead rely on a separate 'publish a package' step, meaning the uploaded archive isn't guaranteed to match the source repo. This breaks commit history and forces manual tarball diffing for audits. Most notable supply-chain attacks—npm account takeovers, the hidden xz exploit, and the 2018 event-stream/flatmap-stream incident—specifically targeted this publishing step. Compiled, minified, or binary artifacts make the problem worse, especially in npm.

RubyGems' recent additions of a cooldown period and AI-assisted vulnerability scanning are seen as short-term fixes; the author argues the real solution is rethinking the publish-based model entirely in favor of direct VCS fetching. While Bundler already allows git-sourced gems for direct dependencies, indirect dependencies still come from rubygems.org, prompting a proposal for a mechanism that would enforce git-based fetching across the board without breaking existing Gemfiles.