RubyGems/TUF Hack Week Project at Square

Tony Arcieri bascule at
Mon Nov 18 00:44:19 UTC 2013

Square's Hack Week starts tomorrow, and we'll be doing a project to add
security to RubyGems. We have been looking at the TUF work that is already
being done on PyPI/pip as a sort of design document for how we might apply
these same sorts of ideas to RubyGems:

I'm thinking we could even fork this document and create a derived one
that's applicable to RubyGems.

There are at least 17 interested developers on this project, so I hope we
can accomplish something within a week!

I just wanted to touch base with the RubyGems people/TUF people so you know
1) this is happening 2) can give us some feedback as far as whether we're
doing a good job ;)

This project will focus on looking at the RubyGems ecosystem end-to-end and
applying the TUF design principles to the respective parts of this system.
It's expected to leverage the existing digital signature system that's
already in place in RubyGems, but add additional security around things
like Gemcutter, bundler-api, and RubyGems mirrors, per TUF's
separation-of-responsibilities principles.

One of the design principles of TUF is for users to not see an impact in
their experience *unless* the system has been compromised and we certainly
hope to attain that too. The only additional step this project would add to
the workflow would be mandatory gem signing using the standard RubyGems
commands for doing so as they exist today.

Tony Arcieri

More information about the RubyGems-Developers mailing list