gem-compare
wg-securing-software-repos
| gem-compare | wg-securing-software-repos | |
|---|---|---|
| 2 | 2 | |
| 247 | 80 | |
| 0.4% | - | |
| 0.0 | 6.8 | |
| almost 2 years ago | about 1 month ago | |
| Ruby | ||
| MIT License | GNU General Public License v3.0 or later |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
gem-compare
-
Unauthorized gem takeover for some gems
I built a RubyGems plugin that can help you vet gem version changes. Not that it would save you from this CVE, but though others might appreciate it to have in their toolbox.
[0] https://github.com/fedora-ruby/gem-compare
- Gem-compare – RubyGems plugin that compares versions of the given gem
wg-securing-software-repos
-
Making popular Ruby packages more secure
RubyGems does have gem signing, but it's not widely used.
There's a proposal for a new "one button" approach using sigstore[0].
Other ecosystems are also looking at sigstore too, and a lot of us are cooperating in the OpenSSF Securing Software Repos WG [1]. Package signing is a regular topic of discussion and there are various efforts underway.
Disclosure: I am involved with both of these.
[0] https://github.com/rubygems/rubygems.org/pull/2944
[1] https://github.com/ossf/wg-securing-software-repos
-
Unauthorized gem takeover for some gems
In particular, check out the Securing Software Repos WG: https://github.com/ossf/wg-securing-software-repos
So far folks have turned up from RubyGems, PyPI, NPM, Maven Central, Drupal and I'm probably forgotten someone.
What are some alternatives?
rfcs - RubyGems + Bundler RFCs
RubyGems - The Ruby community's gem hosting service.
warehouse - The Python Package Index
rfcs - RubyGems + Bundler RFCs