Rubygems Trust Model
7 views
Skip to first unread message
James Tucker
Feb 11, 2013, 4:31:20 PM2/11/13
to rubygems-...@rubyforge.org
All,
We have taken some time to prepare the following document in regard to the
current trust model, and future goals and requirements. We're looking for
two things at present, before creating/evaluating proposals:
* Interested parties (probably larger vendor security team members,
although may be individual contributors also)
* Missed goals/requirements discussions
*http://goo.gl/ybFIO*
Please feel free to provide feedback here on the ML, and as necessary we'll
also be happy to add contributors to the editors and commenters lists on
the document.
Many thanks,
James
_______________________________________________
RubyGems-Developers mailing list
http://rubyforge.org/projects/rubygems
RubyGems-...@rubyforge.org
http://rubyforge.org/mailman/listinfo/rubygems-developers
We have taken some time to prepare the following document in regard to the
current trust model, and future goals and requirements. We're looking for
two things at present, before creating/evaluating proposals:
* Interested parties (probably larger vendor security team members,
although may be individual contributors also)
* Missed goals/requirements discussions
*http://goo.gl/ybFIO*
Please feel free to provide feedback here on the ML, and as necessary we'll
also be happy to add contributors to the editors and commenters lists on
the document.
Many thanks,
James
_______________________________________________
RubyGems-Developers mailing list
http://rubyforge.org/projects/rubygems
RubyGems-...@rubyforge.org
http://rubyforge.org/mailman/listinfo/rubygems-developers
Austin Ziegler
Feb 11, 2013, 4:59:49 PM2/11/13
to RubyGems developers mailing list
On Mon, Feb 11, 2013 at 4:31 PM, James Tucker <jftu...@gmail.com> wrote:
> All,
>
> We have taken some time to prepare the following document in regard to the
> current trust model, and future goals and requirements. We're looking for
> two things at present, before creating/evaluating proposals:
>
> * Interested parties (probably larger vendor security team members,
> although may be individual contributors also)
> * Missed goals/requirements discussions
Thank you. I'm definitely interested in this, and will need to read
> All,
>
> We have taken some time to prepare the following document in regard to the
> current trust model, and future goals and requirements. We're looking for
> two things at present, before creating/evaluating proposals:
>
> * Interested parties (probably larger vendor security team members,
> although may be individual contributors also)
> * Missed goals/requirements discussions
the document in more depth, but the focus on keeping the workflow easy
is important. I decided recently to start signing my gems again—which
means that I had to create a new cert pair and the public certs are
published on RubyForge (I use `hoe` for most of my gems, and Ryan has
done a great job of making this part fairly transparent; I had some
issues getting the cert up for the first gem, but…).
One thing that I think will be important with this is whether we
should have more than one "authorized" key/cert for a particular gem
or set of gems, or whether authors can/should have multiple identities
(that is, should my diff-lcs gems be signed with the same cert/key
that mime-types is?).
I also think that, even though it's built on top of rubygems, Bundler
should be part of this overall security discussion.
-a
--
Austin Ziegler • halos...@gmail.com • aus...@halostatue.ca
http://www.halostatue.ca/ • http://twitter.com/halostatue
Reply all
Reply to author
Forward
0 new messages