On 6/3/2011 9:43 PM, Eric Hodel wrote: > On May 26, 2011, at 5:26 PM, Grant Olson wrote: > >> 3) Is there interest in a simulated CA at a site like rubygems, as >> described in the original post? > > Yes > > We could do something lazier too, IIRC `gem push` uses SSL to upload the gem, > so rubygems.org could simply sign any gems with its own cert. No need for a > CA or any of that stuff. (This proposal is overly simplistic currently).
Do you mean your proposal or mine is simplistic? It actually would be nice if rubygems signed the gem on push, if it somehow verified the gem's authenticity when it was uploaded, above and beyond the username/password check. From my perspective, that would still introduce some problems: Does rubygems.org deliver the certificate through a new remote API call, or does it embed the sig in the uploaded gem? Either API change seems problematic, and would require integration with rubygems (the gem) as well. Signing a user's certificate could happen without modifiying the core rubygems.org distribution system as it exists now. Anyway, I did create a gem called rubygems-openpgp that allows you to sign and verify gems. I'm planning to add functionality to make signing and building a single command. I'd like to make verifying and installing a single command, but it doesn't look like there will be an easy way for me to hook into the system between the fetch and install phases. It also looks problematic to hook into any gem dependencies that automatically get downloaded, so that they are verified as well. Anyway, if anyone wants to take a look, my plugin is on rubygems as well as gihub: gem install rubygems-openpgp https://github.com/grant-olson/rubygems-openpgp -- Grant _______________________________________________ Rubygems-developers mailing list http://rubyforge.org/projects/rubygems Rubygems-developers@rubyforge.org http://rubyforge.org/mailman/listinfo/rubygems-developers
