Square Hack Week project: secure updates for RubyGems

Tony Arcieri bascule at gmail.com
Sat Sep 14 18:22:48 UTC 2013

Hi there. I've talked to some people within Square and we're interested in
creating a system for providing end-to-end integrity of RubyGems, as well
as being able to revoke known compromised RubyGems while still surviving
the compromise of system keys.

While the specific design goals are up for debate, we'd probably try to do
a prototype implementation of The Update Framework on top of the existing
RubyGems X.509 certificate system (with perhaps a few modifications):


The main goals would be:

   - Try to leverage as much of the existing work on signed RubyGems as
   - Depend only on the Ruby standard library and try not to pull in any
   additional dependencies that RubyGems doesn't already depend on
   - Produce a system with minimum (i.e. "zero") cost and operational
   overhead which would still provide practical security guarantees and could
   ensure all gems are signed (and also provide a way to retroactively sign
   all existing gems)

If this sounds good to you, I'd love to talk more about fleshing out what
we would actually implement during Hack Week so we can have a plan that
lets us hit the ground running and get as much done as possible in a week,
with the goal of having something worthwhile that can be merged into the
upstream projects.

We also have Dan Boneh as a staff cryptographer and can probably rope him
in to review our design ;)

Tony Arcieri

More information about the RubyGems-Developers mailing list