Just interjecting my opinion in here! This feature was requested a while ago:
https://github.com/rubygems/gemcutter/issues/96 But I think the actual "CA" stuff could be an entirely different app than Gemcutter...in a different repo. but at something like https://ca.rubygems.org or https://security.rubygems.org ...something! :) On Thu, May 26, 2011 at 8:26 PM, Grant Olson <[email protected]> wrote: > On Thu, May 26, 2011 at 7:15 PM, Evan Phoenix <[email protected]> wrote: >>> If the ruby standard library can deal with the public key signing (RSA >>> and DSA) and hash functions (SHA series, and possibly MD5, RIPEMD160) it >>> would be possible to write a full ruby implemenatation that can process >>> OpenPGP files, but that's a lot of work, and prone to errors. >> While it is going to be more work, it's the only solution that really > makes any sense. We simply can't introduce pgp/gpg as a platform dependency. >> > > Fair enough. I'll look into exactly how hairy this will be. > > But for now, let's go under the assumption that I write a plugin for > rubygems. Not part of the base system. This plugin allows you to sign > and verify gems, and does require a working gpg installation. Only > people who care about software verification install it and use it. And > then in the year 2013 or 2038 or whatever, there's a pure ruby version > of the back end crypto stuff and we merge the code with rubygems. > > 1) Is the gpg requirement still a dealbreaker in this scenario? > > 2) Does rubygems do any verification of the contents? Will a few extra > files in the main .tgz flag the gem as invalid? > > 3) Is there interest in a simulated CA at a site like rubygems, as > described in the original post? > > -- > Grant > _______________________________________________ > Rubygems-developers mailing list > http://rubyforge.org/projects/rubygems > [email protected] > http://rubyforge.org/mailman/listinfo/rubygems-developers > _______________________________________________ Rubygems-developers mailing list http://rubyforge.org/projects/rubygems [email protected] http://rubyforge.org/mailman/listinfo/rubygems-developers
