RubyGems/TUF Hack Week Project at Square

Jordi Massaguer Pla jmassaguerpla at
Mon Nov 18 10:06:03 UTC 2013

That is very cool! I am looking forward to see your results :) !

On 11/18/2013 01:44 AM, Tony Arcieri wrote:
> Square's Hack Week starts tomorrow, and we'll be doing a project to add
> security to RubyGems. We have been looking at the TUF work that is already
> being done on PyPI/pip as a sort of design document for how we might apply
> these same sorts of ideas to RubyGems:
> I'm thinking we could even fork this document and create a derived one
> that's applicable to RubyGems.
> There are at least 17 interested developers on this project, so I hope we
> can accomplish something within a week!
> I just wanted to touch base with the RubyGems people/TUF people so you know
> 1) this is happening 2) can give us some feedback as far as whether we're
> doing a good job ;)
> This project will focus on looking at the RubyGems ecosystem end-to-end and
> applying the TUF design principles to the respective parts of this system.
> It's expected to leverage the existing digital signature system that's
> already in place in RubyGems, but add additional security around things
> like Gemcutter, bundler-api, and RubyGems mirrors, per TUF's
> separation-of-responsibilities principles.
> One of the design principles of TUF is for users to not see an impact in
> their experience *unless* the system has been compromised and we certainly
> hope to attain that too. The only additional step this project would add to
> the workflow would be mandatory gem signing using the standard RubyGems
> commands for doing so as they exist today.

More information about the RubyGems-Developers mailing list