Square Hack Week project: secure updates for RubyGems

Jordi Massaguer Pla jmassaguerpla at suse.de
Wed Sep 18 08:05:28 UTC 2013

On 09/14/2013 08:22 PM, Tony Arcieri wrote:
> Hi there. I've talked to some people within Square and we're interested in
> creating a system for providing end-to-end integrity of RubyGems, as well
> as being able to revoke known compromised RubyGems while still surviving
> the compromise of system keys.
> While the specific design goals are up for debate, we'd probably try to do
> a prototype implementation of The Update Framework on top of the existing
> RubyGems X.509 certificate system (with perhaps a few modifications):
> http://www.updateframework.com/projects/project
> The main goals would be:
>    - Try to leverage as much of the existing work on signed RubyGems as
>    possible
>    - Depend only on the Ruby standard library and try not to pull in any
>    additional dependencies that RubyGems doesn't already depend on
>    - Produce a system with minimum (i.e. "zero") cost and operational
>    overhead which would still provide practical security guarantees and could
>    ensure all gems are signed (and also provide a way to retroactively sign
>    all existing gems)
> If this sounds good to you, I'd love to talk more about fleshing out what
> we would actually implement during Hack Week so we can have a plan that
> lets us hit the ground running and get as much done as possible in a week,
> with the goal of having something worthwhile that can be merged into the
> upstream projects.
> We also have Dan Boneh as a staff cryptographer and can probably rope him
> in to review our design ;)
Hi! I'll be very happy to know about the progress of this project and to
eventually help on it.

Is there a mailing list I should join or will you use this one for

thanks for taking this project


More information about the RubyGems-Developers mailing list