Sounds awesome, Tony. When is Square Hack Week, for those not inside of Square? :)
Nick On Sat, Sep 14, 2013 at 2:22 PM, Tony Arcieri <basc...@gmail.com> wrote: > Hi there. I've talked to some people within Square and we're interested in > creating a system for providing end-to-end integrity of RubyGems, as well > as being able to revoke known compromised RubyGems while still surviving > the compromise of system keys. > > While the specific design goals are up for debate, we'd probably try to do > a prototype implementation of The Update Framework on top of the existing > RubyGems X.509 certificate system (with perhaps a few modifications): > > http://www.updateframework.com/projects/project > > The main goals would be: > > - Try to leverage as much of the existing work on signed RubyGems as > possible > - Depend only on the Ruby standard library and try not to pull in any > additional dependencies that RubyGems doesn't already depend on > - Produce a system with minimum (i.e. "zero") cost and operational > overhead which would still provide practical security guarantees and > could > ensure all gems are signed (and also provide a way to retroactively sign > all existing gems) > > If this sounds good to you, I'd love to talk more about fleshing out what > we would actually implement during Hack Week so we can have a plan that > lets us hit the ground running and get as much done as possible in a week, > with the goal of having something worthwhile that can be merged into the > upstream projects. > > We also have Dan Boneh as a staff cryptographer and can probably rope him > in to review our design ;) > > -- > Tony Arcieri > _______________________________________________ > RubyGems-Developers mailing list > http://rubyforge.org/projects/rubygems > RubyGems-Developers@rubyforge.org > http://rubyforge.org/mailman/listinfo/rubygems-developers > _______________________________________________ RubyGems-Developers mailing list http://rubyforge.org/projects/rubygems RubyGems-Developers@rubyforge.org http://rubyforge.org/mailman/listinfo/rubygems-developers
