Square's Hack Week starts tomorrow, and we'll be doing a project to add security to RubyGems. We have been looking at the TUF work that is already being done on PyPI/pip as a sort of design document for how we might apply these same sorts of ideas to RubyGems:
https://github.com/theupdateframework/pep-on-pypi-with-tuf I'm thinking we could even fork this document and create a derived one that's applicable to RubyGems. There are at least 17 interested developers on this project, so I hope we can accomplish something within a week! I just wanted to touch base with the RubyGems people/TUF people so you know 1) this is happening 2) can give us some feedback as far as whether we're doing a good job ;) This project will focus on looking at the RubyGems ecosystem end-to-end and applying the TUF design principles to the respective parts of this system. It's expected to leverage the existing digital signature system that's already in place in RubyGems, but add additional security around things like Gemcutter, bundler-api, and RubyGems mirrors, per TUF's separation-of-responsibilities principles. One of the design principles of TUF is for users to not see an impact in their experience *unless* the system has been compromised and we certainly hope to attain that too. The only additional step this project would add to the workflow would be mandatory gem signing using the standard RubyGems commands for doing so as they exist today. -- Tony Arcieri _______________________________________________ RubyGems-Developers mailing list http://rubyforge.org/projects/rubygems RubyGems-Developers@rubyforge.org http://rubyforge.org/mailman/listinfo/rubygems-developers
