I wish they went into detail about how the vulnerability worked. I took a look at the commit they linked to but I didn’t have enough context to understand how that would allow gems to be overwritten by an attacker.
I wonder if you could more easily verify past gems with something like:
git checkout <tag>
Will that work or would a version difference in the local version of rubygems used to build the gem cause checksum differences?