On 09/14/2013 08:22 PM, Tony Arcieri wrote: > Hi there. I've talked to some people within Square and we're interested in > creating a system for providing end-to-end integrity of RubyGems, as well > as being able to revoke known compromised RubyGems while still surviving > the compromise of system keys. > > While the specific design goals are up for debate, we'd probably try to do > a prototype implementation of The Update Framework on top of the existing > RubyGems X.509 certificate system (with perhaps a few modifications): > > http://www.updateframework.com/projects/project > > The main goals would be: > > - Try to leverage as much of the existing work on signed RubyGems as > possible > - Depend only on the Ruby standard library and try not to pull in any > additional dependencies that RubyGems doesn't already depend on > - Produce a system with minimum (i.e. "zero") cost and operational > overhead which would still provide practical security guarantees and could > ensure all gems are signed (and also provide a way to retroactively sign > all existing gems) > > If this sounds good to you, I'd love to talk more about fleshing out what > we would actually implement during Hack Week so we can have a plan that > lets us hit the ground running and get as much done as possible in a week, > with the goal of having something worthwhile that can be merged into the > upstream projects. > > We also have Dan Boneh as a staff cryptographer and can probably rope him > in to review our design ;) > Hi! I'll be very happy to know about the progress of this project and to eventually help on it.
Is there a mailing list I should join or will you use this one for communication? thanks for taking this project jordi _______________________________________________ RubyGems-Developers mailing list http://rubyforge.org/projects/rubygems RubyGems-Developers@rubyforge.org http://rubyforge.org/mailman/listinfo/rubygems-developers
