TUF Interface for RubyGems
14 views
Skip to first unread message
Nicholas B Anderson
Nov 17, 2013, 10:58:24 AM11/17/13
to rubygems-...@rubyforge.org, Justin Cappos, Pan Chan, Nektarios Georgios Tsoutsos, Anthony Green
Hello Ruby Developers!
My name is Nick Anderson. Nektarios Tsoutsos, Tony Green, Pan Chan, and
myself have been spending the past few weeks integrating the RubyGems
client into TUF, www.theupdateframework.com, for an Application Security
course at NYU-Polytechnic. Our goal is to help you during your
hack-a-thon next week to get a complete, end-to-end working version of TUF
for RubyGEMS.
Currently we have integrated gem and TUF using the C bindings for TUF (
https://github.com/PoppySeedPlehzr/gemsontuf ). The actual changes to gem
were very trivial and only consisted of a few lines of code. With this,
we can successfully install and update gems using TUF assuming the
appropriate TUF metadata is there ( see
https://github.com/PoppySeedPlehzr/gemsontuf/wiki/Getting-Started-with-GEMs-on-TUF
).
The real issue is to figure out how to integrated rubygems.org so that the
appropriate data is signed. This not only requires signing files in the
appropriate places within the server code. It also require substantial
thought about appropriately performing role separation so that even if the
server is compromised, the attack impact is minimal. Another potential
issue (that occurred for PyPI) was that they had situations where the
metadata can be inconsistent. This can look to a security system like an
attack, and so needs to be handled intelligently.
The PEP that was recently published by Trishank, Donald Stufft, and Prof
Cappos ( http://www.python.org/dev/peps/pep-0458/ ) lists quite a few other
issues that we might consider to maximize efficiency, usability, and
security.
While we are all full time students and have other commitments as well, we
would love to have the opportunity to work with you at the hack-a-thon to
help to push things forward with RubyGEMS.
Please have a look at our code and documentation on GitHub and let us know
how we can help!
--
________________________________
Nicholas Anderson
nba...@nyu.edu
nba...@students.poly.edu
nande...@gmail.com
_______________________________________________
RubyGems-Developers mailing list
http://rubyforge.org/projects/rubygems
RubyGems-...@rubyforge.org
http://rubyforge.org/mailman/listinfo/rubygems-developers
My name is Nick Anderson. Nektarios Tsoutsos, Tony Green, Pan Chan, and
myself have been spending the past few weeks integrating the RubyGems
client into TUF, www.theupdateframework.com, for an Application Security
course at NYU-Polytechnic. Our goal is to help you during your
hack-a-thon next week to get a complete, end-to-end working version of TUF
for RubyGEMS.
Currently we have integrated gem and TUF using the C bindings for TUF (
https://github.com/PoppySeedPlehzr/gemsontuf ). The actual changes to gem
were very trivial and only consisted of a few lines of code. With this,
we can successfully install and update gems using TUF assuming the
appropriate TUF metadata is there ( see
https://github.com/PoppySeedPlehzr/gemsontuf/wiki/Getting-Started-with-GEMs-on-TUF
).
The real issue is to figure out how to integrated rubygems.org so that the
appropriate data is signed. This not only requires signing files in the
appropriate places within the server code. It also require substantial
thought about appropriately performing role separation so that even if the
server is compromised, the attack impact is minimal. Another potential
issue (that occurred for PyPI) was that they had situations where the
metadata can be inconsistent. This can look to a security system like an
attack, and so needs to be handled intelligently.
The PEP that was recently published by Trishank, Donald Stufft, and Prof
Cappos ( http://www.python.org/dev/peps/pep-0458/ ) lists quite a few other
issues that we might consider to maximize efficiency, usability, and
security.
While we are all full time students and have other commitments as well, we
would love to have the opportunity to work with you at the hack-a-thon to
help to push things forward with RubyGEMS.
Please have a look at our code and documentation on GitHub and let us know
how we can help!
--
________________________________
Nicholas Anderson
nba...@nyu.edu
nba...@students.poly.edu
nande...@gmail.com
_______________________________________________
RubyGems-Developers mailing list
http://rubyforge.org/projects/rubygems
RubyGems-...@rubyforge.org
http://rubyforge.org/mailman/listinfo/rubygems-developers
Justin Cappos
Nov 18, 2013, 2:46:50 PM11/18/13
to rubygems-tuf, RubyGems developers mailing list, theupdate...@googlegroups.com
Forwarding...
Reply all
Reply to author
Forward
0 new messages