Cool. Good luck!
On Sun, Nov 17, 2013 at 9:06 PM, Tony Arcieri <basc...@gmail.com> wrote: > I've made the main project mailing list public in hopes that if we screw > something up, someone else will notice ;) > > https://groups.google.com/forum/#!forum/rubygems-tuf > > > On Sun, Nov 17, 2013 at 5:08 PM, Nick Quaranto <n...@quaran.to> wrote: > > > This is awesome. Is there any way for someone outside of Square to > observe > > what's going on? > > > > > > On Sun, Nov 17, 2013 at 7:44 PM, Tony Arcieri <basc...@gmail.com> wrote: > > > > > Square's Hack Week starts tomorrow, and we'll be doing a project to add > > > security to RubyGems. We have been looking at the TUF work that is > > already > > > being done on PyPI/pip as a sort of design document for how we might > > apply > > > these same sorts of ideas to RubyGems: > > > > > > https://github.com/theupdateframework/pep-on-pypi-with-tuf > > > > > > I'm thinking we could even fork this document and create a derived one > > > that's applicable to RubyGems. > > > > > > There are at least 17 interested developers on this project, so I hope > we > > > can accomplish something within a week! > > > > > > I just wanted to touch base with the RubyGems people/TUF people so you > > know > > > 1) this is happening 2) can give us some feedback as far as whether > we're > > > doing a good job ;) > > > > > > This project will focus on looking at the RubyGems ecosystem end-to-end > > and > > > applying the TUF design principles to the respective parts of this > > system. > > > It's expected to leverage the existing digital signature system that's > > > already in place in RubyGems, but add additional security around things > > > like Gemcutter, bundler-api, and RubyGems mirrors, per TUF's > > > separation-of-responsibilities principles. > > > > > > One of the design principles of TUF is for users to not see an impact > in > > > their experience *unless* the system has been compromised and we > > certainly > > > hope to attain that too. The only additional step this project would > add > > to > > > the workflow would be mandatory gem signing using the standard RubyGems > > > commands for doing so as they exist today. > > > > > > -- > > > Tony Arcieri > > > _______________________________________________ > > > RubyGems-Developers mailing list > > > http://rubyforge.org/projects/rubygems > > > RubyGems-Developers@rubyforge.org > > > http://rubyforge.org/mailman/listinfo/rubygems-developers > > > > > _______________________________________________ > > RubyGems-Developers mailing list > > http://rubyforge.org/projects/rubygems > > RubyGems-Developers@rubyforge.org > > http://rubyforge.org/mailman/listinfo/rubygems-developers > > > > > > -- > Tony Arcieri > _______________________________________________ > RubyGems-Developers mailing list > http://rubyforge.org/projects/rubygems > RubyGems-Developers@rubyforge.org > http://rubyforge.org/mailman/listinfo/rubygems-developers > _______________________________________________ RubyGems-Developers mailing list http://rubyforge.org/projects/rubygems RubyGems-Developers@rubyforge.org http://rubyforge.org/mailman/listinfo/rubygems-developers
