We found this somehow and it seems interesting: http://mirror1.poly.edu/test-rubygems/
This looks like an example of how TUF's metadata formats could live side-by-side with the existing RubyGems formats. Is that the case? Any idea where this came from? On Sun, Nov 17, 2013 at 4:44 PM, Tony Arcieri <basc...@gmail.com> wrote: > Square's Hack Week starts tomorrow, and we'll be doing a project to add > security to RubyGems. We have been looking at the TUF work that is already > being done on PyPI/pip as a sort of design document for how we might apply > these same sorts of ideas to RubyGems: > > https://github.com/theupdateframework/pep-on-pypi-with-tuf > > I'm thinking we could even fork this document and create a derived one > that's applicable to RubyGems. > > There are at least 17 interested developers on this project, so I hope we > can accomplish something within a week! > > I just wanted to touch base with the RubyGems people/TUF people so you > know 1) this is happening 2) can give us some feedback as far as whether > we're doing a good job ;) > > This project will focus on looking at the RubyGems ecosystem end-to-end > and applying the TUF design principles to the respective parts of this > system. It's expected to leverage the existing digital signature system > that's already in place in RubyGems, but add additional security around > things like Gemcutter, bundler-api, and RubyGems mirrors, per TUF's > separation-of-responsibilities principles. > > One of the design principles of TUF is for users to not see an impact in > their experience *unless* the system has been compromised and we certainly > hope to attain that too. The only additional step this project would add to > the workflow would be mandatory gem signing using the standard RubyGems > commands for doing so as they exist today. > > -- > Tony Arcieri > -- Tony Arcieri _______________________________________________ RubyGems-Developers mailing list http://rubyforge.org/projects/rubygems RubyGems-Developers@rubyforge.org http://rubyforge.org/mailman/listinfo/rubygems-developers
