The problem, as with every package manager, is transitive dependencies. It's all well and good to set up direct dependencies to only pull from git repositories, but bundler still needs a way to resolve those gems' dependencies.
You could pre-resolve every dependency in your chain to a git repository, even to a fork under your own control, but that will end up being a maintenance nightmare.
Can't a middle compromise happen as it happens in something like golang?
Can some vps/serverless provider not do this like fly.io as an recent example with kurt got got? or hetzner?
I think that golang's model can actually be sort of cheaper/ more cost effective for servers as compared to how ruby might be doing it right now and so cheaper might mean that a new non profit can be created which can work on less money/outside funding/drama overall
Retrofitting Go's dependency model into Ruby is not trivial. Go has used full URLs for dependencies from the jump, making a central package repository irrelevant. Ruby doesn't have that. At best you might have a source code URL in the gem source that you can access from a gem server, but that doesn't really anything. Someone still has to provide the index.
> I think that golang's model can actually be sort of cheaper/ more cost effective for servers as compared to how ruby might be doing it right now and so cheaper might mean that a new non profit can be created which can work on less money/outside funding/drama overall
It also means no code signing and the natural capture of most of the ecosystem by Microsoft (due to devs preferring to host their code on github, a bundler that lacks package hosting will be entirely at the whim of MS)
If you are worried about github/MS capture...
Then my suggestion is to just create mirrors of golang projects you like on gitlab/codeberg
But this is so so much better than having arko or somebody having your PII.
Like I hate github but I am pretty sure that people there aren't actively looking for my PII when I download go projects or that a single person couldn't really access it I suppose
I am not really familiar but if I remember the heads project related to coreboot isn't there a way to sign your github repository with your ssh key or something related (I can be wrong, I usually am)
Like I know it could be a pain in the ass but if you are so worried about github, what if we could optionally have everything be gpg'd via ssh keys & the project could only work if someone shares a ssh key
And something like rubygems could just have a name <-> github mapping <-> gpg mapping and it might require some additional software right now but I am just giving ideas maybe for new languages as well I am not sure
What are your thoughts? And what do you think the ideal way could be. I have heard from many people (like primagen) that golang is the best package model and I also resonate with that statement but yeah github is a bit of menace/threat to open source
All the more reason to use something like codeberg!
You could pre-resolve every dependency in your chain to a git repository, even to a fork under your own control, but that will end up being a maintenance nightmare.