Nothing is more important for us than your data safety, and we’d like to really thank our customers for their trust so far! Anyway, as we are very concerned with security, we find unacceptable to be forced asking you for a full access on your projects. We had a lot of complains regarding this problem, and we fully agree with you:** you should never grant access to your work.**
That’s why we’re proud to unveil today a new way to keep your projects in shape, without lowering your security requirements.
Why did we need a full access to your private repos?
Gemnasium is fully integrated with Github: it automatically fetches your repositories and gets notified about code updates (pushes). But for that, you need to authorize Gemnasium to access your code through Oauth.
Unfortunately, Github only provides a “Read + Write” access for private repos (the “repo” scope), which implies a full trust in the third party service. For freelancers, and agencies, it meant sharing their customer code with us, which is often forbidden by contracts or NDAs (and it’s a good thing!).
If you don’t trust this gem either, keep calm and relax, the source code is fully available: https://github.com/gemnasium/gemnasium-gem
How does it work?
Dependencies can be tracked now without authorizing any access to your application code, just by using that tiny gem!
Drop it in your project (or just install the gem), run install command, fill in the config file and you’re ready to go in a few seconds!
You can also use the provided post-commit Git hook to automatically push updates to Gemnasium when you commit changes on your dependency files.
Alternatively, you can use the “gemnasium” command, the rake task or even call directly Gemnasium’s gem classes from your code. See readme for more details.
Finally, using the Rake task, a CI server can be in charge of pushing the changes for you.
Behind the scene
When executed, Gemnasium gem will calculate SHAs for your dependency files (the same way Git does it) and send them to Gemnasium API to compare with remote ones. If anything changed in the files, SHAs will be different and then Gemnasium gem will upload updated files.
The after-commit Git hook we provide is even smarter as it will only fire SHAs check if your commit contains changes about your dependency files. It’s even faster than with our Github service hook!
One great thing with this gem is that you can check dependencies updates without pushing to the repository! Just update the dependency files, run “gemnasium push” and everything gets updated on gemnasium.com.
Gemnasium Gem is published under the MIT license. It’s compatible with all ruby projects, not only rails app. We’ve made it as light as possible and it doesn’t require any other dependency. Though, it’s only compatible with ruby >=1.9 for now (yes, that mean ruby 2.0 too!).
For Node.js projects owners, please note that this gem is also able to upload package.json and npm-shrinkwrap.json files, as long as you have a running ruby. For others don’t worry, a Npm module is coming!
Please also note that for now the gem only works with existing Gemnasium profiles. So you still need to link your Gemnasium account with Github after registration (with read-only public access at least) and order a plan for one of your Github profiles. You’ll then be able to add your offline projects to the profile of your choice. Offline private projects are taken into account for your plan’s private slots limit.
We’re also working on fully offline profiles to allow non-Github setup. This will come a bit later. Stay tuned!
How to migrate existing project?
If you have already setup your projects to be synchronized automatically with Github, you can switch them to use the gem. Just follow the readme to complete the setup and use the “gemnasium create —force” command. The “—force” option will override the existing setup on gemnasium.com, updating your projects origin attribute from “github” to “offline”. Warning: there is currently no easy way to switch back to Github origin (need to contact support). Use with caution.
You can then update your Github permissions in your settings to use the read-only public access.
No more excuses to not track your dependencies and keep your projects in shape with Gemnasium!
Cheers, Gemnasium Team