Giter Club home page Giter Club logo

Comments (2)

phil-monroe avatar phil-monroe commented on July 17, 2024 1

@sds - Ahh good point! I was playing with the security settings and it seemed like this only affected childprocess and rubyzip, but I think that is because my machine had the other gems cached. Sorry for the confusion!

I totally agree that the gem signing ecosystem isn't the greatest of trust models, but the community is currently operating with the trust model that all of the contributors to gems have set up 2FA and that their rubygems.org accounts have not been compromised, which I feel is an even worse trust model.

I absolutely don't want to start a flame war over this, but in light of the recent compromises to gems that could destroy companies like mine, I'd like to think about and push the ruby/opensource communities to have better security, even if it's not perfect just yet.

It seems like you have a lot of experience maintaining gems and thinking about their security. I would love to pick your brain and bounce ideas off of you if you have time. If you are in SF I'd be happy to buy you a beer/coffee/drink to hear more about your thoughts.

from childprocess.

sds avatar sds commented on July 17, 2024

Is childprocess the only gem for which you're getting this error?

It is relatively rare in the RubyGems ecosystem to sign gems. Even rails (a massive project) does not sign its gems.

If we were to sign, you are putting trust in the supply chain of the set of people who are "owners" of the childprocess gem: https://rubygems.org/gems/childprocess. If you were to trust our certificate, you would trust any gem signed by our certificate. From https://guides.rubygems.org/security/

Gem certificates are trusted globally, such that adding a cert.pem for one gem automatically trusts all gems signed by that cert.

Do you want to extend that trust to us? I wouldn'tβ€”that's not a great trust model.

If you're particularly paranoid, the best you can hope to achieve is to visit the releases page, check that the signature on the release is signed by one of the maintainers, and then download that release and build and install the gem yourself locally. Hope that helps.

from childprocess.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    πŸ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. πŸ“ŠπŸ“ˆπŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❀️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.