RubyGems/TUF Hack Week Project at Square

Tony Arcieri bascule at
Mon Nov 18 19:38:07 UTC 2013

We found this somehow and it seems interesting:

This looks like an example of how TUF's metadata formats could live
side-by-side with the existing RubyGems formats. Is that the case? Any idea
where this came from?

On Sun, Nov 17, 2013 at 4:44 PM, Tony Arcieri <bascule at> wrote:

> Square's Hack Week starts tomorrow, and we'll be doing a project to add
> security to RubyGems. We have been looking at the TUF work that is already
> being done on PyPI/pip as a sort of design document for how we might apply
> these same sorts of ideas to RubyGems:
> I'm thinking we could even fork this document and create a derived one
> that's applicable to RubyGems.
> There are at least 17 interested developers on this project, so I hope we
> can accomplish something within a week!
> I just wanted to touch base with the RubyGems people/TUF people so you
> know 1) this is happening 2) can give us some feedback as far as whether
> we're doing a good job ;)
> This project will focus on looking at the RubyGems ecosystem end-to-end
> and applying the TUF design principles to the respective parts of this
> system. It's expected to leverage the existing digital signature system
> that's already in place in RubyGems, but add additional security around
> things like Gemcutter, bundler-api, and RubyGems mirrors, per TUF's
> separation-of-responsibilities principles.
> One of the design principles of TUF is for users to not see an impact in
> their experience *unless* the system has been compromised and we certainly
> hope to attain that too. The only additional step this project would add to
> the workflow would be mandatory gem signing using the standard RubyGems
> commands for doing so as they exist today.
> --
> Tony Arcieri

Tony Arcieri

More information about the RubyGems-Developers mailing list