wg-securing-software-repos
gem-compare
wg-securing-software-repos | gem-compare | |
---|---|---|
2 | 2 | |
78 | 247 | |
- | 0.4% | |
6.8 | 0.0 | |
17 days ago | almost 2 years ago | |
Ruby | ||
GNU General Public License v3.0 or later | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
wg-securing-software-repos
-
Making popular Ruby packages more secure
RubyGems does have gem signing, but it's not widely used.
There's a proposal for a new "one button" approach using sigstore[0].
Other ecosystems are also looking at sigstore too, and a lot of us are cooperating in the OpenSSF Securing Software Repos WG [1]. Package signing is a regular topic of discussion and there are various efforts underway.
Disclosure: I am involved with both of these.
[0] https://github.com/rubygems/rubygems.org/pull/2944
[1] https://github.com/ossf/wg-securing-software-repos
-
Unauthorized gem takeover for some gems
In particular, check out the Securing Software Repos WG: https://github.com/ossf/wg-securing-software-repos
So far folks have turned up from RubyGems, PyPI, NPM, Maven Central, Drupal and I'm probably forgotten someone.
gem-compare
-
Unauthorized gem takeover for some gems
I built a RubyGems plugin that can help you vet gem version changes. Not that it would save you from this CVE, but though others might appreciate it to have in their toolbox.
[0] https://github.com/fedora-ruby/gem-compare
- Gem-compare – RubyGems plugin that compares versions of the given gem
What are some alternatives?
RubyGems - The Ruby community's gem hosting service.
rfcs - RubyGems + Bundler RFCs
warehouse - The Python Package Index
rfcs - RubyGems + Bundler RFCs