Hello rubygems,
We hear from Donald Stufft at the Python Catalog-SIG mailing list that
you are interested in securing rubygems.
We are The Update Framework (TUF) project
[https://www.updateframework.com/], and we would like to help Ruby and
Python folks to help secure their package managers.
TUF is a framework designed by computer scientists from NYU-Poly,
University of Washington and the Tor project to help solve some of the
more common problems with securing software updaters.
Here are some papers we wrote on the subject:
https://isis.poly.edu/~jcappos/papers/cappos_mirror_ccs_08.pdf
https://isis.poly.edu/~jcappos/papers/samuel_tuf_ccs_2010.pdf
What we would like to do is to help the rubygems community to understand
how you may use TUF to secure your package manager with security
designed carefully and intrinsically, so that you do not have to worry
about the most common security issues.
Donald, havenwood and raggi introduced us to the Rubygems Trust Model
document [http://goo.gl/ybFIO], and we will comment on it as soon as we
find the time. In fact, we are going to have a TUF hackathon here in a
few hours, and we hope to make more progress on these matters soon enough.
Please feel free to reach out to us with your questions!
Thanks,
Trishank
_______________________________________________
RubyGems-Developers mailing list
http://rubyforge.org/projects/rubygems
RubyGems-Developers@rubyforge.org
http://rubyforge.org/mailman/listinfo/rubygems-developers
