Signing the gem with a PGP key

Eric Wong normalperson at
Mon Mar 11 23:59:17 UTC 2013

Hongli Lai <hongli at> wrote:
> On Mon, Mar 11, 2013 at 11:48 PM, Eric Wong <normalperson at> wrote:
> > Can we designate gems be signed by a trusted third party (e.g. you?)
> > That's how Debian (and presumably other OS distros work).
> >
> > _Nobody_ should trust me.  I have and maintain zero credibility.
> > The only credibility any unicorn has is what its users give it.
> Well the kind of trust we're talking about here is not trustworthiness
> (i.e. "does the software work well and will it refrain from formatting
> my harddisk?"), but authenticity ("is this gem made by the Unicorn and
> not someone pretending to be him?"). Given that definition of "trust",
> having a third party sign the gem is not very useful, and letting you
> sign the gem will not make it a statement about trustworthiness,
> warranty or credibility.
> What do you think?

The only thing that matters in the end is whether the code is good or not.

I have the same likelyhood of having my GPG key compromised as I do of
writing broken code that breaks things horribly: a very likely one.

I make my commits public and and send patches to mailing lists to
encourage others to verify what I'm doing isn't horribly broken.  I
never tell anybody to accept patches/code based on who wrote it; same
goes for gems/tarballs.

So yes, gems/tarballs should have the same level of scrutiny as every

If somebody else assumed my identity, but continued doing things in the
way I've done in the past; unicorn users would not (nor should they)
notice the difference.  That may've already happened :)

More information about the mongrel-unicorn mailing list