RubyGems/TUF Hack Week Project at Square

Nick Quaranto nick at
Mon Nov 18 01:08:21 UTC 2013

This is awesome. Is there any way for someone outside of Square to observe
what's going on?

On Sun, Nov 17, 2013 at 7:44 PM, Tony Arcieri <bascule at> wrote:

> Square's Hack Week starts tomorrow, and we'll be doing a project to add
> security to RubyGems. We have been looking at the TUF work that is already
> being done on PyPI/pip as a sort of design document for how we might apply
> these same sorts of ideas to RubyGems:
> I'm thinking we could even fork this document and create a derived one
> that's applicable to RubyGems.
> There are at least 17 interested developers on this project, so I hope we
> can accomplish something within a week!
> I just wanted to touch base with the RubyGems people/TUF people so you know
> 1) this is happening 2) can give us some feedback as far as whether we're
> doing a good job ;)
> This project will focus on looking at the RubyGems ecosystem end-to-end and
> applying the TUF design principles to the respective parts of this system.
> It's expected to leverage the existing digital signature system that's
> already in place in RubyGems, but add additional security around things
> like Gemcutter, bundler-api, and RubyGems mirrors, per TUF's
> separation-of-responsibilities principles.
> One of the design principles of TUF is for users to not see an impact in
> their experience *unless* the system has been compromised and we certainly
> hope to attain that too. The only additional step this project would add to
> the workflow would be mandatory gem signing using the standard RubyGems
> commands for doing so as they exist today.
> --
> Tony Arcieri
> _______________________________________________
> RubyGems-Developers mailing list
> RubyGems-Developers at

More information about the RubyGems-Developers mailing list