|Gem in a Box||RubyGems|
|4 months ago||3 days ago|
|MIT License||MIT License|
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Gem in a Box
We haven't tracked posts mentioning Gem in a Box yet.
Tracking mentions began in Dec 2020.
Due to a bug in the yank action, it was possible for any RubyGems.org user to remove and replace certain gems even if that user was not authorized to do so.
1 project | reddit.com/r/worldTechnology | 10 May 2022
Unauthorized gem takeover for some gems
1 project | reddit.com/r/WhileTrueCode | 7 May 20221 project | reddit.com/r/ruby | 7 May 20221 project | reddit.com/r/patient_hackernews | 7 May 20221 project | reddit.com/r/hackernews | 7 May 2022
SSH is such a different use case that the analogies break down. With respect, thinking about this for a few minutes should convince you that while TOFU works fine for immutable artifact signatures, it is unworkable for a system where you ever upgrade packages.
Consider that most nontrivial projects on rubygems have multiple maintainers that can publish a version. Normal collaboration models would imply that they each have a personal signing key; sharing a single signing key per project isn’t realistic (as you mentioned, rotation is another reason for this). And TOFU doesn’t work when there are multiple possible keys, such a system requires an external trust chain.
Assume for the sake of argument the above is solved. What exactly do you do when tooling alerts you that an upgraded dependency has changed keys since the last publish? Either you blindly accept the new key or you investigate. If the latter hopefully you have a way to directly contact the author to verify that the rotation was legitimate. Since you probably don’t you should just compare the diff of the published artifacts. But you should have been doing this anyway, so what has the signature bought you here except false security?
I’m all for pragmatic solutions that measurably improve security. I just think changes like https://github.com/rubygems/rubygems.org/pull/2499 and https://github.com/rubygems/rubygems.org/pull/2242 qualify to a much greater extent than thinking of crypto as magic dust that can be sprinkled on a system to increase its security.
This test seems to be a good example of the vulnerability: https://github.com/rubygems/rubygems.org/commit/58c755a7a62a...
Unauthorized gem takeover for some gems · Due to a bug in the yank action, it was possible for any RubyGems.org user to remove and replace certain gems even if that user was not authorized to do so.
1 project | reddit.com/r/blueteamsec | 6 May 2022
Ask HN: How many 2FA tokens do you have?
4 projects | news.ycombinator.com | 5 Mar 2022
See https://github.com/rubygems/rubygems.org/pull/2865 for the web part
> From the replies it sounds like this is talking about client software?
Yes the command line is a client to the rubygems server
> An unattended client should not be able to do WebAuthn as the whole point is that a human is present and authorising the authentication step
You either need a PIN, a fingerprint, a press, or no action just owning the device or the software.
> if I have 100% full of Bob's device I still can't touch the sensor or button to authenticate as Bob.
If you have a perfect copy of a Yubikey or the same fingerprint you should be able to authenticate I think
> OpenSSH works with Yubikeys
Nice, I will look into it
What are some alternatives?
gemstash - A RubyGems.org cache and private gem server
gemdiff - Find source repositories for ruby gems. Open, compare, and update outdated gem versions
passwordless - 🗝 Authentication for your Rails app without the icky-ness of passwords
Open-Source-Ruby-and-Rails-Apps - Awesome Ruby and Rails Open Source applications 🌈
SharpZipLib - #ziplib is a Zip, GZip, Tar and BZip2 library written entirely in C# for the .NET platform.
typings - *DEPRECATED* The TypeScript Definition Manager
PrismJS - Lightweight, robust, elegant syntax highlighting.
gem_rbs_collection - A collection of RBS for gems.