Signing the gem with a PGP key

Hongli Lai hongli at
Mon Mar 11 23:10:52 UTC 2013

On Mon, Mar 11, 2013 at 11:48 PM, Eric Wong <normalperson at> wrote:
> Can we designate gems be signed by a trusted third party (e.g. you?)
> That's how Debian (and presumably other OS distros work).
> _Nobody_ should trust me.  I have and maintain zero credibility.
> The only credibility any unicorn has is what its users give it.

Well the kind of trust we're talking about here is not trustworthiness
(i.e. "does the software work well and will it refrain from formatting
my harddisk?"), but authenticity ("is this gem made by the Unicorn and
not someone pretending to be him?"). Given that definition of "trust",
having a third party sign the gem is not very useful, and letting you
sign the gem will not make it a statement about trustworthiness,
warranty or credibility.

What do you think?

Phusion | Ruby & Rails deployment, scaling and tuning solutions

E-mail: info at
Chamber of commerce no: 08173483 (The Netherlands)

More information about the mongrel-unicorn mailing list