Our great sponsors
RubyGems | Bundler | |
---|---|---|
25 | 4 | |
2,291 | 4,822 | |
2.2% | - | |
9.8 | 7.6 | |
about 13 hours ago | about 4 years ago | |
Ruby | Ruby | |
MIT License | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
RubyGems
-
Phlex is the ruby way to build your views
However, let's examine a typical partial, such as the one from the . rubygems.org search show page
- Chrome considers gems to be dangerous?
-
OOP vs. services for organizing business logic: is there a third way?
github.com/rubygems/rubygems.org (26k lines): Where Ruby gems are hosted.
-
RubyGems now requires MFA for owners of top gems
If anyone is looking to do some open source contributions on a mature, production Ruby on Rails site, I highly recommend contributing to the rubygems.org project. The code is extremely clean and the repo is very, very well run.
-
Making popular Ruby packages more secure
In fact, you can now scope API tokens per-gem as well: https://github.com/rubygems/rubygems.org/pull/2944
RubyGems does have gem signing, but it's not widely used.
There's a proposal for a new "one button" approach using sigstore[0].
Other ecosystems are also looking at sigstore too, and a lot of us are cooperating in the OpenSSF Securing Software Repos WG [1]. Package signing is a regular topic of discussion and there are various efforts underway.
Disclosure: I am involved with both of these.
-
Unauthorized gem takeover for some gems
SSH is such a different use case that the analogies break down. With respect, thinking about this for a few minutes should convince you that while TOFU works fine for immutable artifact signatures, it is unworkable for a system where you ever upgrade packages.
Consider that most nontrivial projects on rubygems have multiple maintainers that can publish a version. Normal collaboration models would imply that they each have a personal signing key; sharing a single signing key per project isn’t realistic (as you mentioned, rotation is another reason for this). And TOFU doesn’t work when there are multiple possible keys, such a system requires an external trust chain.
Assume for the sake of argument the above is solved. What exactly do you do when tooling alerts you that an upgraded dependency has changed keys since the last publish? Either you blindly accept the new key or you investigate. If the latter hopefully you have a way to directly contact the author to verify that the rotation was legitimate. Since you probably don’t you should just compare the diff of the published artifacts. But you should have been doing this anyway, so what has the signature bought you here except false security?
I’m all for pragmatic solutions that measurably improve security. I just think changes like https://github.com/rubygems/rubygems.org/pull/2499 and https://github.com/rubygems/rubygems.org/pull/2242 qualify to a much greater extent than thinking of crypto as magic dust that can be sprinkled on a system to increase its security.
This test seems to be a good example of the vulnerability: https://github.com/rubygems/rubygems.org/commit/58c755a7a62a...
-
Ask HN: How many 2FA tokens do you have?
See https://github.com/rubygems/rubygems.org/pull/2865 for the web part
> From the replies it sounds like this is talking about client software?
Yes the command line is a client to the rubygems server
> An unattended client should not be able to do WebAuthn as the whole point is that a human is present and authorising the authentication step
You either need a PIN, a fingerprint, a press, or no action just owning the device or the software.
> if I have 100% full of Bob's device I still can't touch the sensor or button to authenticate as Bob.
If you have a perfect copy of a Yubikey or the same fingerprint you should be able to authenticate I think
> OpenSSH works with Yubikeys
Nice, I will look into it
Bundler
-
current state of bundle install vs gem install -g
bundle install uses the bundle binary (technically a ruby script). The command runs the Bundler::Installer.run module. There are a lot more steps, particularly around dependencies. It ultimately calls Bundler::Installer::GemInstaller.
-
My tone doesn’t make me wrong, or how I convinced the Ruby project to fix an inconsistency
sudo is totally unacceptable on my system
-
Caching All Native Ruby Gem Platforms
If you are using Bundler version 1.x, you may also need to set the specific_platform configuration setting.
What are some alternatives?
gemdiff - Find source repositories for ruby gems. Open, compare, and update outdated gem versions
Gem in a Box - Really simple rubygem hosting
gemstash - A RubyGems.org cache and private gem server
passwordless - 🗝 Authentication for your Rails app without the icky-ness of passwords
SharpZipLib - #ziplib is a Zip, GZip, Tar and BZip2 library written entirely in C# for the .NET platform.
Open-Source-Ruby-and-Rails-Apps - Awesome Ruby and Rails Open Source applications 🌈
rbs - Type Signature for Ruby
PrismJS - Lightweight, robust, elegant syntax highlighting.
rubygems - Library packaging and distribution for Ruby.