[tuf] Re: RubyGems/TUF Hack Week Project at Square

Jon jon.forums at gmail.com
Mon Nov 18 21:07:08 UTC 2013


What testing are you doing on Windows systems or Windows-on-a-VM this week?


On Mon, Nov 18, 2013 at 3:02 PM, Justin Cappos <jcappos at nyu.edu> wrote:

> Yes, they are one and the same.
>
> Justin
>
>
> On Mon, Nov 18, 2013 at 2:47 PM, Tony Arcieri <bascule at gmail.com> wrote:
>
> > Aha! Is that this project?
> >
> > https://github.com/PoppySeedPlehzr/gemsontuf
> >
> >
> > On Mon, Nov 18, 2013 at 11:46 AM, Justin Cappos <jcappos at nyu.edu> wrote:
> >
> >> Four of the students in my App Sec class built this.   They are trying
> to
> >> get an end-to-end integration of TUF with gem going.
> >>
> >> I'll forward the email they sent a few days ago to the lists.
> >>
> >> Thanks,
> >> Justin
> >>
> >>
> >> On Mon, Nov 18, 2013 at 2:38 PM, Tony Arcieri <bascule at gmail.com>
> wrote:
> >>
> >>> We found this somehow and it seems interesting:
> >>>
> >>> http://mirror1.poly.edu/test-rubygems/
> >>>
> >>> This looks like an example of how TUF's metadata formats could live
> >>> side-by-side with the existing RubyGems formats. Is that the case? Any
> idea
> >>> where this came from?
> >>>
> >>>
> >>>
> >>> On Sun, Nov 17, 2013 at 4:44 PM, Tony Arcieri <bascule at gmail.com>
> wrote:
> >>>
> >>>> Square's Hack Week starts tomorrow, and we'll be doing a project to
> add
> >>>> security to RubyGems. We have been looking at the TUF work that is
> already
> >>>> being done on PyPI/pip as a sort of design document for how we might
> apply
> >>>> these same sorts of ideas to RubyGems:
> >>>>
> >>>> https://github.com/theupdateframework/pep-on-pypi-with-tuf
> >>>>
> >>>> I'm thinking we could even fork this document and create a derived one
> >>>> that's applicable to RubyGems.
> >>>>
> >>>> There are at least 17 interested developers on this project, so I hope
> >>>> we can accomplish something within a week!
> >>>>
> >>>> I just wanted to touch base with the RubyGems people/TUF people so you
> >>>> know 1) this is happening 2) can give us some feedback as far as
> whether
> >>>> we're doing a good job ;)
> >>>>
> >>>> This project will focus on looking at the RubyGems ecosystem
> end-to-end
> >>>> and applying the TUF design principles to the respective parts of this
> >>>> system. It's expected to leverage the existing digital signature
> system
> >>>> that's already in place in RubyGems, but add additional security
> around
> >>>> things like Gemcutter, bundler-api, and RubyGems mirrors, per TUF's
> >>>> separation-of-responsibilities principles.
> >>>>
> >>>> One of the design principles of TUF is for users to not see an impact
> >>>> in their experience *unless* the system has been compromised and we
> >>>> certainly hope to attain that too. The only additional step this
> project
> >>>> would add to the workflow would be mandatory gem signing using the
> standard
> >>>> RubyGems commands for doing so as they exist today.
> >>>>
> >>>> --
> >>>> Tony Arcieri
> >>>>
> >>>
> >>>
> >>>
> >>> --
> >>> Tony Arcieri
> >>>
> >>
> >>
> >
> >
> > --
> > Tony Arcieri
> >
> _______________________________________________
> RubyGems-Developers mailing list
> http://rubyforge.org/projects/rubygems
> RubyGems-Developers at rubyforge.org
> http://rubyforge.org/mailman/listinfo/rubygems-developers
>


More information about the RubyGems-Developers mailing list