On Mon, Feb 11, 2013 at 4:31 PM, James Tucker <jftuc...@gmail.com> wrote: > All, > > We have taken some time to prepare the following document in regard to the > current trust model, and future goals and requirements. We're looking for > two things at present, before creating/evaluating proposals: > > * Interested parties (probably larger vendor security team members, > although may be individual contributors also) > * Missed goals/requirements discussions
Thank you. I'm definitely interested in this, and will need to read the document in more depth, but the focus on keeping the workflow easy is important. I decided recently to start signing my gems again—which means that I had to create a new cert pair and the public certs are published on RubyForge (I use `hoe` for most of my gems, and Ryan has done a great job of making this part fairly transparent; I had some issues getting the cert up for the first gem, but…). One thing that I think will be important with this is whether we should have more than one "authorized" key/cert for a particular gem or set of gems, or whether authors can/should have multiple identities (that is, should my diff-lcs gems be signed with the same cert/key that mime-types is?). I also think that, even though it's built on top of rubygems, Bundler should be part of this overall security discussion. -a -- Austin Ziegler • halosta...@gmail.com • aus...@halostatue.ca http://www.halostatue.ca/ • http://twitter.com/halostatue _______________________________________________ RubyGems-Developers mailing list http://rubyforge.org/projects/rubygems RubyGems-Developers@rubyforge.org http://rubyforge.org/mailman/listinfo/rubygems-developers
