Hello Ruby Developers!
My name is Nick Anderson. Nektarios Tsoutsos, Tony Green, Pan Chan, and myself have been spending the past few weeks integrating the RubyGems client into TUF, www.theupdateframework.com, for an Application Security course at NYU-Polytechnic. Our goal is to help you during your hack-a-thon next week to get a complete, end-to-end working version of TUF for RubyGEMS. Currently we have integrated gem and TUF using the C bindings for TUF ( https://github.com/PoppySeedPlehzr/gemsontuf ). The actual changes to gem were very trivial and only consisted of a few lines of code. With this, we can successfully install and update gems using TUF assuming the appropriate TUF metadata is there ( see https://github.com/PoppySeedPlehzr/gemsontuf/wiki/Getting-Started-with-GEMs-on-TUF ). The real issue is to figure out how to integrated rubygems.org so that the appropriate data is signed. This not only requires signing files in the appropriate places within the server code. It also require substantial thought about appropriately performing role separation so that even if the server is compromised, the attack impact is minimal. Another potential issue (that occurred for PyPI) was that they had situations where the metadata can be inconsistent. This can look to a security system like an attack, and so needs to be handled intelligently. The PEP that was recently published by Trishank, Donald Stufft, and Prof Cappos ( http://www.python.org/dev/peps/pep-0458/ ) lists quite a few other issues that we might consider to maximize efficiency, usability, and security. While we are all full time students and have other commitments as well, we would love to have the opportunity to work with you at the hack-a-thon to help to push things forward with RubyGEMS. Please have a look at our code and documentation on GitHub and let us know how we can help! -- ________________________________ Nicholas Anderson nba...@nyu.edu nba...@students.poly.edu nanders...@gmail.com _______________________________________________ RubyGems-Developers mailing list http://rubyforge.org/projects/rubygems RubyGems-Developers@rubyforge.org http://rubyforge.org/mailman/listinfo/rubygems-developers
