I've made the main project mailing list public in hopes that if we screw something up, someone else will notice ;)
https://groups.google.com/forum/#!forum/rubygems-tuf On Sun, Nov 17, 2013 at 5:08 PM, Nick Quaranto <n...@quaran.to> wrote: > This is awesome. Is there any way for someone outside of Square to observe > what's going on? > > > On Sun, Nov 17, 2013 at 7:44 PM, Tony Arcieri <basc...@gmail.com> wrote: > > > Square's Hack Week starts tomorrow, and we'll be doing a project to add > > security to RubyGems. We have been looking at the TUF work that is > already > > being done on PyPI/pip as a sort of design document for how we might > apply > > these same sorts of ideas to RubyGems: > > > > https://github.com/theupdateframework/pep-on-pypi-with-tuf > > > > I'm thinking we could even fork this document and create a derived one > > that's applicable to RubyGems. > > > > There are at least 17 interested developers on this project, so I hope we > > can accomplish something within a week! > > > > I just wanted to touch base with the RubyGems people/TUF people so you > know > > 1) this is happening 2) can give us some feedback as far as whether we're > > doing a good job ;) > > > > This project will focus on looking at the RubyGems ecosystem end-to-end > and > > applying the TUF design principles to the respective parts of this > system. > > It's expected to leverage the existing digital signature system that's > > already in place in RubyGems, but add additional security around things > > like Gemcutter, bundler-api, and RubyGems mirrors, per TUF's > > separation-of-responsibilities principles. > > > > One of the design principles of TUF is for users to not see an impact in > > their experience *unless* the system has been compromised and we > certainly > > hope to attain that too. The only additional step this project would add > to > > the workflow would be mandatory gem signing using the standard RubyGems > > commands for doing so as they exist today. > > > > -- > > Tony Arcieri > > _______________________________________________ > > RubyGems-Developers mailing list > > http://rubyforge.org/projects/rubygems > > RubyGems-Developers@rubyforge.org > > http://rubyforge.org/mailman/listinfo/rubygems-developers > > > _______________________________________________ > RubyGems-Developers mailing list > http://rubyforge.org/projects/rubygems > RubyGems-Developers@rubyforge.org > http://rubyforge.org/mailman/listinfo/rubygems-developers > -- Tony Arcieri _______________________________________________ RubyGems-Developers mailing list http://rubyforge.org/projects/rubygems RubyGems-Developers@rubyforge.org http://rubyforge.org/mailman/listinfo/rubygems-developers
