Square Hack Week project: secure updates for RubyGems

Nick Quaranto nick at quaran.to
Sat Sep 14 19:30:09 UTC 2013

Sounds awesome, Tony. When is Square Hack Week, for those not inside of
Square? :)


On Sat, Sep 14, 2013 at 2:22 PM, Tony Arcieri <bascule at gmail.com> wrote:

> Hi there. I've talked to some people within Square and we're interested in
> creating a system for providing end-to-end integrity of RubyGems, as well
> as being able to revoke known compromised RubyGems while still surviving
> the compromise of system keys.
> While the specific design goals are up for debate, we'd probably try to do
> a prototype implementation of The Update Framework on top of the existing
> RubyGems X.509 certificate system (with perhaps a few modifications):
> http://www.updateframework.com/projects/project
> The main goals would be:
>    - Try to leverage as much of the existing work on signed RubyGems as
>    possible
>    - Depend only on the Ruby standard library and try not to pull in any
>    additional dependencies that RubyGems doesn't already depend on
>    - Produce a system with minimum (i.e. "zero") cost and operational
>    overhead which would still provide practical security guarantees and
> could
>    ensure all gems are signed (and also provide a way to retroactively sign
>    all existing gems)
> If this sounds good to you, I'd love to talk more about fleshing out what
> we would actually implement during Hack Week so we can have a plan that
> lets us hit the ground running and get as much done as possible in a week,
> with the goal of having something worthwhile that can be merged into the
> upstream projects.
> We also have Dan Boneh as a staff cryptographer and can probably rope him
> in to review our design ;)
> --
> Tony Arcieri
> _______________________________________________
> RubyGems-Developers mailing list
> http://rubyforge.org/projects/rubygems
> RubyGems-Developers at rubyforge.org
> http://rubyforge.org/mailman/listinfo/rubygems-developers

More information about the RubyGems-Developers mailing list