Your message is lengthy, so forgive me if I trim too vigorously. On Jan 17, 2007, at 16:44, Paul Duncan wrote: > Unfortunately, the actual crypto isn't the hard part. > > The hard part is getting developers to adopt it. I feel like the > documentation is adequate, and I also posted an entry on my web site > that has a relatively automagic gem signing blurb that can be dropped > into a Rakefile or Gem specification. Here it is: > > http://pablotron.org/?cid=1510 > (Ignore the first paragraph about the Rake patch and skip to the > later > bit about gem signing).
Rake::PackageTask and Hoe are your vectors here. If the change is that small, I can put it into Hoe. Actually, why can't RubyGems just look in ~/.gemrc for these things? Makes for one less step, and will work right around PackageTask and Hoe. > Another "hard" aspect is trust (I alluded to this in the paragraph you > quoted above). Specifically, how can a user be sure a particular > certificate (or public key) is associated with the author of a given > gem? > > So, in order for a RubyGems end user to "trust" a package, we need > either an established X.509 PKI trust hierarchy (including pre- > packaged, > root issuing certificates, some sort of security policy, and > preferrably > a CRL distribution point and OCSP responder as well) or a bridge to > PGP's web of trust. I think you're the expert here, how do we get any of this going? Which is best? > Obviously this is more work than most gem authors should be > expected to > do, which is why it'd be nice to have the aforementioned trust > mechanism > in place. Even something as simple as a button to upload your signing > key(s) to RubyForge and an ominous-sounding warning from RubyGems when > installing unsigned gems would be better what we've got now, which is > nothing. > PS. I don't usually toot my own horn, but if you're still reading this > far and find this kind of stuff interesting, there are a couple > additional posts I've written in the last week or so that deal with > security, identity, and trust. The posts are available at the > following > URLs: > > http://programming.reddit.com/info/xqnp/comments/cxt6j > http://programming.reddit.com/info/xqnp/comments/cxtrj > http://hellojoseph.com/298/setting-up-apache-ssl-encryption- > should-not-be-this-complicated > (for the last one, scroll down to see my response to Sean's post) > > -- > Paul Duncan <[EMAIL PROTECTED]> OpenPGP Key ID: 0x82C29562 > http://www.pablotron.org/ http://www.paulduncan.org/ > _______________________________________________ > Rubygems-developers mailing list > Rubygems-developers@rubyforge.org > http://rubyforge.org/mailman/listinfo/rubygems-developers -- Eric Hodel - [EMAIL PROTECTED] - http://blog.segment7.net I LIT YOUR GEM ON FIRE! _______________________________________________ Rubygems-developers mailing list Rubygems-developers@rubyforge.org http://rubyforge.org/mailman/listinfo/rubygems-developers
