Signing the gem with a PGP key

Eric Wong normalperson at yhbt.net
Mon Mar 11 22:48:12 UTC 2013


Hongli Lai <hongli at phusion.nl> wrote:
> After the recent Rubygems.org hack it became clear that somethings
> needs to be done about authenticating gems. One of the efforts that
> was launched is http://www.rubygems-openpgp-ca.org/. We at Phusion
> have just finished signing all our gems and repositories with our PGP
> key, and our PGP key has been verified and signed by this CA.
> 
> It would be great if Unicorn can participate as well by signing future
> releases. If you already use GnuPG then the process is extremely
> straightforward.

Can we designate gems be signed by a trusted third party (e.g. you?)
That's how Debian (and presumably other OS distros work).

_Nobody_ should trust me.  I have and maintain zero credibility.
The only credibility any unicorn has is what its users give it.


More information about the mongrel-unicorn mailing list