That is very cool! I am looking forward to see your results :) !
On 11/18/2013 01:44 AM, Tony Arcieri wrote: > Square's Hack Week starts tomorrow, and we'll be doing a project to add > security to RubyGems. We have been looking at the TUF work that is already > being done on PyPI/pip as a sort of design document for how we might apply > these same sorts of ideas to RubyGems: > > https://github.com/theupdateframework/pep-on-pypi-with-tuf > > I'm thinking we could even fork this document and create a derived one > that's applicable to RubyGems. > > There are at least 17 interested developers on this project, so I hope we > can accomplish something within a week! > > I just wanted to touch base with the RubyGems people/TUF people so you know > 1) this is happening 2) can give us some feedback as far as whether we're > doing a good job ;) > > This project will focus on looking at the RubyGems ecosystem end-to-end and > applying the TUF design principles to the respective parts of this system. > It's expected to leverage the existing digital signature system that's > already in place in RubyGems, but add additional security around things > like Gemcutter, bundler-api, and RubyGems mirrors, per TUF's > separation-of-responsibilities principles. > > One of the design principles of TUF is for users to not see an impact in > their experience *unless* the system has been compromised and we certainly > hope to attain that too. The only additional step this project would add to > the workflow would be mandatory gem signing using the standard RubyGems > commands for doing so as they exist today. > _______________________________________________ RubyGems-Developers mailing list http://rubyforge.org/projects/rubygems RubyGems-Developers@rubyforge.org http://rubyforge.org/mailman/listinfo/rubygems-developers
