Making popular Ruby packages more secure

1. RubyGems

   1 26 2,358 9.9 Ruby

   The Ruby community's gem hosting service.

   

   RubyGems does have gem signing, but it's not widely used.

   There's a proposal for a new "one button" approach using sigstore[0].

   Other ecosystems are also looking at sigstore too, and a lot of us are cooperating in the OpenSSF Securing Software Repos WG [1]. Package signing is a regular topic of discussion and there are various efforts underway.

   Disclosure: I am involved with both of these.

   [0] https://github.com/rubygems/rubygems.org/pull/2944

   [1] https://github.com/ossf/wg-securing-software-repos

2. CodeRabbit

   coderabbit.ai featured

   CodeRabbit: AI Code Reviews for Developers. Revolutionize your code reviews with AI. CodeRabbit offers PR summaries, code walkthroughs, 1-click suggestions, and AST-based analysis. Boost productivity and code quality across all major languages with each PR.

   

3. wg-securing-software-repos

   2 2 100 6.0

   OpenSSF Working Group on Securing Software Repositories

   

   RubyGems does have gem signing, but it's not widely used.

   There's a proposal for a new "one button" approach using sigstore[0].

   Other ecosystems are also looking at sigstore too, and a lot of us are cooperating in the OpenSSF Securing Software Repos WG [1]. Package signing is a regular topic of discussion and there are various efforts underway.

   Disclosure: I am involved with both of these.

   [0] https://github.com/rubygems/rubygems.org/pull/2944

   [1] https://github.com/ossf/wg-securing-software-repos

4. rubygems

   3 225 3,752 9.9 Ruby

   Library packaging and distribution for Ruby.

   

   This is great news! I like how the article cites evidence that MFA is disproportionately effective against account takeover.

   If the rubygems devs are looking for other highly effective wins against supply chain attacks: I think the next thing is deeper support for lockfiles. Although Ruby has Gemfile.lock, it's not a true lockfile in the same way that package managers in the javascript/go/python ecosystems support. Specifically, locking versions is optional, there's no locking by hash (Github issue: https://github.com/rubygems/rubygems/issues/3379), and there's no capability to lock local or source-only dependencies by hash. By comparison: go modules, pipenv, npm, yarn, nuget, composer, and gradle already support locking by hash.

5. warehouse

   4 292 3,689 9.8 Python

   The Python Package Index

   

   I really wish more package managers added support for OIDC based authentication+authorization for package publishing. PyPi has an ongoing PR for this: https://github.com/pypa/warehouse/issues/10970 with some really great UX. You specify a repository name on GitHub and GitHub actions there get publishing rights automatically.

   While 2FA is good, having a purpose limited JIT token for publishing packages is what will actually reduce risk. Otherwise, as it stands - PATs leaked from one project can be used across any of your other packages on all package managers.

6. rfcs

   5 7 46 3.2

   RubyGems + Bundler RFCs (by rubygems)

   

   That’s correct. If you’re a maintainer of a very popular gem, as of 15th August you’ll no longer be able to e.g. `gem push` if you haven’t enabled MFA on your RubyGems account. You will of course still be able to log in and enable it.

   More details in the RFC: https://github.com/rubygems/rfcs/blob/master/text/0007-mfa-r...

7. SaaSHub

   www.saashub.com featured

   SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

   

Suggest a related project