Fwd: TUF Interface for RubyGems

Justin Cappos jcappos at nyu.edu
Mon Nov 18 19:46:50 UTC 2013


---------- Forwarded message ----------
From: Nicholas B Anderson <nba237 at nyu.edu>
Date: Sun, Nov 17, 2013 at 10:58 AM
Subject: TUF Interface for RubyGems
To: rubygems-developers at rubyforge.org
Cc: Justin Cappos <jcappos at nyu.edu>, Trishank Kuppusamy <
tk47 at students.poly.edu>, Anthony Green <akoaysigod at gmail.com>, Pan Chan <
pchan01 at students.poly.edu>, Nektarios Georgios Tsoutsos <
ngt218 at students.poly.edu>

Hello Ruby Developers!

My name is Nick Anderson. Nektarios Tsoutsos, Tony Green, Pan Chan, and
myself have been spending the past few weeks integrating the RubyGems
client into TUF, www.theupdateframework.com, for an Application Security
course at NYU-Polytechnic.   Our goal is to help you during your
hack-a-thon next week to get a complete, end-to-end working version of TUF
for RubyGEMS.

Currently we have integrated gem and TUF using the C bindings for TUF (
https://github.com/PoppySeedPlehzr/gemsontuf ).   The actual changes to gem
were very trivial and only consisted of a few lines of code.   With this,
we can successfully install and update gems using TUF assuming the
appropriate TUF metadata is there ( see

The real issue is to figure out how to integrated rubygems.org so that the
appropriate data is signed.   This not only requires signing files in the
appropriate places within the server code.   It also require substantial
thought about appropriately performing role separation so that even if the
server is compromised, the attack impact is minimal.   Another potential
issue (that occurred for PyPI) was that they had situations where the
metadata can be inconsistent.   This can look to a security system like an
attack, and so needs to be handled intelligently.

The PEP that was recently published by Trishank, Donald Stufft, and Prof
Cappos ( http://www.python.org/dev/peps/pep-0458/ ) lists quite a few other
issues that we might consider to maximize efficiency, usability, and

While we are all full time students and have other commitments as well, we
would love to have the opportunity to work with you at the hack-a-thon to
help to push things forward with RubyGEMS.

Please have a look at our code and documentation on GitHub and let us know
how we can help!

Nicholas Anderson
nba237 at nyu.edu
nba237 at students.poly.edu
nanderson7 at gmail.com

More information about the RubyGems-Developers mailing list