Our great sponsors
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
RubyGems does have gem signing, but it's not widely used.
There's a proposal for a new "one button" approach using sigstore[0].
Other ecosystems are also looking at sigstore too, and a lot of us are cooperating in the OpenSSF Securing Software Repos WG [1]. Package signing is a regular topic of discussion and there are various efforts underway.
Disclosure: I am involved with both of these.
[0] https://github.com/rubygems/rubygems.org/pull/2944
[1] https://github.com/ossf/wg-securing-software-repos
RubyGems does have gem signing, but it's not widely used.
There's a proposal for a new "one button" approach using sigstore[0].
Other ecosystems are also looking at sigstore too, and a lot of us are cooperating in the OpenSSF Securing Software Repos WG [1]. Package signing is a regular topic of discussion and there are various efforts underway.
Disclosure: I am involved with both of these.
[0] https://github.com/rubygems/rubygems.org/pull/2944
[1] https://github.com/ossf/wg-securing-software-repos
This is great news! I like how the article cites evidence that MFA is disproportionately effective against account takeover.
If the rubygems devs are looking for other highly effective wins against supply chain attacks: I think the next thing is deeper support for lockfiles. Although Ruby has Gemfile.lock, it's not a true lockfile in the same way that package managers in the javascript/go/python ecosystems support. Specifically, locking versions is optional, there's no locking by hash (Github issue: https://github.com/rubygems/rubygems/issues/3379), and there's no capability to lock local or source-only dependencies by hash. By comparison: go modules, pipenv, npm, yarn, nuget, composer, and gradle already support locking by hash.
I really wish more package managers added support for OIDC based authentication+authorization for package publishing. PyPi has an ongoing PR for this: https://github.com/pypa/warehouse/issues/10970 with some really great UX. You specify a repository name on GitHub and GitHub actions there get publishing rights automatically.
While 2FA is good, having a purpose limited JIT token for publishing packages is what will actually reduce risk. Otherwise, as it stands - PATs leaked from one project can be used across any of your other packages on all package managers.
That’s correct. If you’re a maintainer of a very popular gem, as of 15th August you’ll no longer be able to e.g. `gem push` if you haven’t enabled MFA on your RubyGems account. You will of course still be able to log in and enable it.
More details in the RFC: https://github.com/rubygems/rfcs/blob/master/text/0007-mfa-r...