Resilience & Security #410
Description
This is a proposal for a substantial project. I want to gauge community support before undertaking work on it.
I want gemstash to be able to satisfy the resilience and security needs of an organization strongly. Specifically, I wish for the following features, which gemstash appears to currently lack.
- The ability to operate off a whitelist--serve only accepted versions of accepted gems. Allowlist only certain gems to cache #320
This is not a small piece of work. Generally, we want to fetch everything and log new version availability for review. We need a monitor mode so that devs can pull in new gems & gem versions & trigger a review. We need permissions to update the whitelist. - Log (WARN) if a cached version of a gem is yanked. what is the expected behavior when the gem was yanked from rubygems? #291
Server to be configurable as to whether or not cached gems continue to be served. Erroring out is an option.
Configuration to be global with individual version overrides - Log (WARN) if an upstream gem changes without a version update.
Both versions kept, but response is configurable. - Resolve Support hosts in FIPS mode #194 / GEMSTASH-194 Support for FIPS Mode #195 / added fips flag #290
Implicitly, these change likely require addressing at least #408 and/or #409, #154 , and #67.
The ability to remap gem versions might also be useful.