On Jul 15, 2008, at 19:38 PM, Kurt Stephens wrote:
> Jim Weirich wrote:
>> On Jul 8, 2008, at 4:45 PM, Sam Ruby wrote:
>>> It is not just prodding them with a stick - we have gem maintainers
>>> who haven't integrated patches, or even responded to email.
>
> This might be far-fetched, but ...
>
> If the licensing allows it, why wait for a gem developer/ 
> administrator to
> approve and merge patches/fixes?
>
> 1. Create 1.9 git repos from latest versions of gems (or some other
> distributed version control system).
> 2. Create a central registry of git repos for each gem.
> 3. Change rubygems to be able pull from git repos.

RubyGems already has code to pull from various gem repositories.  Just  
set up a second repository, and if people want to add it, they can.

> 4. Change rubygems to use a SHA1 hash as a version string.

RubyGems versions are of arbitrary length, just add another dot  
version to the end.  Hashes should not be shown to end-users, it is  
not friendly to them.

> 5. People who use and fix the gems can share their efforts, without  
> waiting
> for someone by posting a new git repo location and version string  
> for the gem.
> 6. For the security conscious, gem installer can verify a gem  
> source's SHA1
> hash that has been signed against a gem's known public key.  There  
> could be a
> --verify mode that would only pull and install gems that can be  
> verified
> against the gem' trusted public key.

RubyGems already has signing built-in.  See `gem help cert` and `ri  
Gem::Security`.