RubyGems/TUF Hack Week Project at Square

Nick Quaranto nick at quaran.to
Mon Nov 18 02:11:53 UTC 2013


Cool. Good luck!


On Sun, Nov 17, 2013 at 9:06 PM, Tony Arcieri <bascule at gmail.com> wrote:

> I've made the main project mailing list public in hopes that if we screw
> something up, someone else will notice ;)
>
> https://groups.google.com/forum/#!forum/rubygems-tuf
>
>
> On Sun, Nov 17, 2013 at 5:08 PM, Nick Quaranto <nick at quaran.to> wrote:
>
> > This is awesome. Is there any way for someone outside of Square to
> observe
> > what's going on?
> >
> >
> > On Sun, Nov 17, 2013 at 7:44 PM, Tony Arcieri <bascule at gmail.com> wrote:
> >
> > > Square's Hack Week starts tomorrow, and we'll be doing a project to add
> > > security to RubyGems. We have been looking at the TUF work that is
> > already
> > > being done on PyPI/pip as a sort of design document for how we might
> > apply
> > > these same sorts of ideas to RubyGems:
> > >
> > > https://github.com/theupdateframework/pep-on-pypi-with-tuf
> > >
> > > I'm thinking we could even fork this document and create a derived one
> > > that's applicable to RubyGems.
> > >
> > > There are at least 17 interested developers on this project, so I hope
> we
> > > can accomplish something within a week!
> > >
> > > I just wanted to touch base with the RubyGems people/TUF people so you
> > know
> > > 1) this is happening 2) can give us some feedback as far as whether
> we're
> > > doing a good job ;)
> > >
> > > This project will focus on looking at the RubyGems ecosystem end-to-end
> > and
> > > applying the TUF design principles to the respective parts of this
> > system.
> > > It's expected to leverage the existing digital signature system that's
> > > already in place in RubyGems, but add additional security around things
> > > like Gemcutter, bundler-api, and RubyGems mirrors, per TUF's
> > > separation-of-responsibilities principles.
> > >
> > > One of the design principles of TUF is for users to not see an impact
> in
> > > their experience *unless* the system has been compromised and we
> > certainly
> > > hope to attain that too. The only additional step this project would
> add
> > to
> > > the workflow would be mandatory gem signing using the standard RubyGems
> > > commands for doing so as they exist today.
> > >
> > > --
> > > Tony Arcieri
> > > _______________________________________________
> > > RubyGems-Developers mailing list
> > > http://rubyforge.org/projects/rubygems
> > > RubyGems-Developers at rubyforge.org
> > > http://rubyforge.org/mailman/listinfo/rubygems-developers
> > >
> > _______________________________________________
> > RubyGems-Developers mailing list
> > http://rubyforge.org/projects/rubygems
> > RubyGems-Developers at rubyforge.org
> > http://rubyforge.org/mailman/listinfo/rubygems-developers
> >
>
>
>
> --
> Tony Arcieri
> _______________________________________________
> RubyGems-Developers mailing list
> http://rubyforge.org/projects/rubygems
> RubyGems-Developers at rubyforge.org
> http://rubyforge.org/mailman/listinfo/rubygems-developers
>


More information about the RubyGems-Developers mailing list