> The perfect candidate to succumb to this type of “spray-and-pray” supply chain attack is a Ruby developer whose environment of choice is a Windows system that’s also periodically being used to make BitCoin transactions. A rare breed indeed.<p>Very rare indeed. I suppose every package had their own BTC address. I wonder how much they got away with.<p>But I thought rubygems does a similarity check for names and reject or flag them for manual verification if the name is too similar to an existing one?
I would support a Great Renaming, wherein underscores and dashes are considered equivalent and insignificant:<p><pre><code> action-mailer_cache_delivery
action-mailer-cache-delivery
actionmailercachedelivery
act-ion-ma-iler_c-ache-deli_very
</code></pre>
Should resolve to the same entry in RubyGems.<p>I would also support this usage in `require` lines.<p>The "experts-exchange" (or "pen-is-mightier") problem is tiny compared to the frustration and security risk of the present policy.
Free software projects need to converge on standard platforms and tools. On the modern complex world, it's bad enough that they can't keep with proprietary software features and polish. But they can't keep up with the black hat industry either.