RubyGems/TUF Hack Week Project at Square

Tony Arcieri bascule at gmail.com
Mon Nov 18 02:06:58 UTC 2013


I've made the main project mailing list public in hopes that if we screw
something up, someone else will notice ;)

https://groups.google.com/forum/#!forum/rubygems-tuf


On Sun, Nov 17, 2013 at 5:08 PM, Nick Quaranto <nick at quaran.to> wrote:

> This is awesome. Is there any way for someone outside of Square to observe
> what's going on?
>
>
> On Sun, Nov 17, 2013 at 7:44 PM, Tony Arcieri <bascule at gmail.com> wrote:
>
> > Square's Hack Week starts tomorrow, and we'll be doing a project to add
> > security to RubyGems. We have been looking at the TUF work that is
> already
> > being done on PyPI/pip as a sort of design document for how we might
> apply
> > these same sorts of ideas to RubyGems:
> >
> > https://github.com/theupdateframework/pep-on-pypi-with-tuf
> >
> > I'm thinking we could even fork this document and create a derived one
> > that's applicable to RubyGems.
> >
> > There are at least 17 interested developers on this project, so I hope we
> > can accomplish something within a week!
> >
> > I just wanted to touch base with the RubyGems people/TUF people so you
> know
> > 1) this is happening 2) can give us some feedback as far as whether we're
> > doing a good job ;)
> >
> > This project will focus on looking at the RubyGems ecosystem end-to-end
> and
> > applying the TUF design principles to the respective parts of this
> system.
> > It's expected to leverage the existing digital signature system that's
> > already in place in RubyGems, but add additional security around things
> > like Gemcutter, bundler-api, and RubyGems mirrors, per TUF's
> > separation-of-responsibilities principles.
> >
> > One of the design principles of TUF is for users to not see an impact in
> > their experience *unless* the system has been compromised and we
> certainly
> > hope to attain that too. The only additional step this project would add
> to
> > the workflow would be mandatory gem signing using the standard RubyGems
> > commands for doing so as they exist today.
> >
> > --
> > Tony Arcieri
> > _______________________________________________
> > RubyGems-Developers mailing list
> > http://rubyforge.org/projects/rubygems
> > RubyGems-Developers at rubyforge.org
> > http://rubyforge.org/mailman/listinfo/rubygems-developers
> >
> _______________________________________________
> RubyGems-Developers mailing list
> http://rubyforge.org/projects/rubygems
> RubyGems-Developers at rubyforge.org
> http://rubyforge.org/mailman/listinfo/rubygems-developers
>



-- 
Tony Arcieri


More information about the RubyGems-Developers mailing list