On Mon, Feb 11, 2013 at 4:31 PM, James Tucker <
jftu...@gmail.com> wrote:
> All,
>
> We have taken some time to prepare the following document in regard to the
> current trust model, and future goals and requirements. We're looking for
> two things at present, before creating/evaluating proposals:
>
> * Interested parties (probably larger vendor security team members,
> although may be individual contributors also)
> * Missed goals/requirements discussions
Thank you. I'm definitely interested in this, and will need to read
the document in more depth, but the focus on keeping the workflow easy
is important. I decided recently to start signing my gems again—which
means that I had to create a new cert pair and the public certs are
published on RubyForge (I use `hoe` for most of my gems, and Ryan has
done a great job of making this part fairly transparent; I had some
issues getting the cert up for the first gem, but…).
One thing that I think will be important with this is whether we
should have more than one "authorized" key/cert for a particular gem
or set of gems, or whether authors can/should have multiple identities
(that is, should my diff-lcs gems be signed with the same cert/key
that mime-types is?).
I also think that, even though it's built on top of rubygems, Bundler
should be part of this overall security discussion.
-a
--
Austin Ziegler •
halos...@gmail.com •
aus...@halostatue.ca
http://www.halostatue.ca/ •
http://twitter.com/halostatue