---
date: "2004-08-25T11:50:59Z"
title: RubyGem Thoughts
---

<p>
Last night I created <a href='http://rubygems.rubyforge.org/'>RubyGems</a> for <a href='/software/fam-ruby/'>FAM-Ruby</a>,  <a href='/software/imlib2-ruby/'>Imlib2-Ruby</a>, <a href='/software/joystick-ruby'>Joystick-Ruby</a>, <a href='/software/mb-ruby/'>MB-Ruby</a>, and <a href='/software/xmms-ruby/'>Xmms-Ruby</a> (with a <a href='/software/raggle/'>Raggle</a> gem coming soon).  The gems I've made so far are available <a href='/download/gems/'>here</a>.  <a href='http://rubygems.rubyforge.org/'>RubyGems</a> seems promising, here are my thoughts so far:
</p>

<ul>
<li>Easy to use: once you get the hang of things it only takes a few minutes to create a gem for a package.  There's a guide called <a href='http://rubygems.rubyforge.org/wiki/wiki.pl?CreateAGemInTenMinutes'>"Create a Gem in 10 Minutes"</a>, but it looks like it's about 20 minutes too old; some of the command-line flags have changed since the guide was written.</li>
<li>Seems to be popular: A lot of popular projects seem to be creating gems (check out the <a href='http://gems.rubyforge.org/gems/'>list so far</a>).</li>
<li>No build-in signing!  Or at least it's not in the documentation I sifted through.  There should be either a built-in way of attaching signatures (you're already loading the files and encoding them; <acronym title='Message Digest'>MD5</acronym> or <acronym title='Secure Hashing Algorithm 1'>SHA-1</acronym> the contents, then sign that with <a href='http://www.gnupg.org/'>GnuPG</a>).  I home they address this soon, because I think a package management system without some sort of end-to-end security is dead in the water.</li>
<li>Funky <a href='http://www.yaml.org/'><acronym title="YAML Ain't a Markup Language">YAML</acronym></a> storage format that's "not much larger than tar".  That's nice, why don't you just use tar instead?  <a href='http://rpa-base.rubyforge.org/'>RPA-Base</a> does.  To be fair, according to the <a href='http://rpa-base.rubyforge.org/wiki/wiki.cgi?Rpa_FAQ'>RPA FAQ</a>, <a href='http://rubygems.rubyforge.org/'>RubyGems</a> is adopting the RPA file format in the next release.</li>
<li>I want mirrors of <a href='http://gems.rubyforge.org/gems/'>the main gem distribution site</a>.  It's easy enough to create and maintain one, someone just needs to step up to the plate.</li>
<li>The <code>--ri-site</code> option should work for <a href='http://rdoc.sourceforge.net/'>RDoc</a> inside the <code>gemspec</code> files.  Right now it doesn't seem to.</li>
<li>Gem Server is neat!</li>
<li>Should have some sort of dependency removal on uninstall feature, ala <a href='http://rpa-base.rubyforge.org/'>RPA-Base</a>  and <a href='http://packages.debian.org/cgi-bin/search_packages.pl?keywords=aptitude'><code>aptitude</code></a>.</li>
<li>Generating <a href='http://www.ruby-lang.org/'>Ruby</a> code inside the gem worries me, <em>especially</em> without any sort of developer signing going on.</li>
</ul>

<p>
I'll keep fiddling and let everyone know what I come up with.
</p>