Sections in this article
In any serious production sceanrio, you should run your own gem server.
That’s because:
- a gem can used as an attack vector to gain access to run artbitrary code in your environment
- sometimes a gem owner will yank a gem your depend on
Luckily there are a few options available to you.
Geminabox
Geminabox is a very simple, self-hosted gem server. It is installed either as a gem or as a docker container. It requires ruby 2.3+ and that you have some knowledge of ruby to run it. That’s because you’ll be writing your own rack configuration file (config.ru) and implementing your own rack-compatible authentication system. Geminabox also supports mirroring gems from rubygems, and comes with a Dockerfile that you can use to build and manage your own Geminabox container image. Geminabox has not seen a release since June 2022.
Pros:
- Simple
- Basic UI
Cons:
- Roll your own authentication and authorization
- No RBAC
- No gem allow-lists
- Build and manage your own docker containers
Gemstash
Gemstash is another popular option for a self-hosted gem server. It has more features than Geminabox but is also more complex. Gemstash uses a SQL database (postgres or mysql) as well as a cache server (memcached). For any serious usage you’ll likely end up running those on separate servers from Gemstash. Since it is distributed as a rubygem, you’ll need to install and manage a version of ruby, no official docker image seems to exist. Gemstash also relies on the gemstash command for starting and stopping the server. If you want to use systemd to run the Gemstash server you will need to create your own systemd unit files.
Pros:
- Scalable
- Repo is maintained
Cons:
- No UI
- No gem allow-lists
- Need to install and manage an external cache and SQL database
- No official Dockerfile or docker image
Gemfast
Gemfast is a new type of self-hosted rubygems server written in Go. This means you won’t need to worry about patching any versions of ruby or rubygems.Gemfast does not rely on an external database or caching server because those services are embedded right into the gemfast binary. It is distributed as either a Debian package or an offical docker image so you can install it how you like. Configuration is handled by a single file using HCL format (the same as all HashiCorp products) and it supports multiple authentication strategies including GitHub OAuth.
Pros:
- Install via Debian package or docker
- UI that supports uploading and downloading gems
- Does not require ruby, bundler or any other gems
- Does not require an external cache or SQL database
- Supports GitHub or Basic Authentication and RBAC
Cons:
- ELv2 license
Conclusion
With Gemfast we tried to strike a balance between simplicity and features that makes it a great choice.