RubyGems now requires MFA for owners of top gems

This page summarizes the projects mentioned and recommended in the original post on

Our great sponsors
  • SonarQube - Static code analysis for 29 languages.
  • InfluxDB - Access the most powerful time series database as a service
  • SaaSHub - Software Alternatives and Reviews
  • RubyGems

    The Ruby community's gem hosting service.

    If anyone is looking to do some open source contributions on a mature, production Ruby on Rails site, I highly recommend contributing to the project. The code is extremely clean and the repo is very, very well run.

  • CocoaPods

    The Cocoa Dependency Manager.

    This is fantastic work by the RubyGems maintainers!

    One interesting (IMO) aspect of this: there are secondary package ecosystems that piggyback on RubyGems that don't qualify for the 2FA mandate at the moment (since, as user-installed packages, they don't have quite the same volume as an extremely popular library package).

    The biggest one I can thing of is CocoaPods[1] -- huge swaths of the iOS and macOS ecosystems rely on it, but it has "only" 57 million RubyGems downloads[2] and therefore doesn't qualify as a top-100 package. This demonstrates (again, IMO) the need for manual curation on top of a uniform policy for the top N packages.



  • SonarQube

    Static code analysis for 29 languages.. Your projects are multi-language. So is SonarQube analysis. Find Bugs, Vulnerabilities, Security Hotspots, and Code Smells so you can release quality code every time. Get started analyzing your projects today for free.

  • ios-application

    A native, lightweight and secure one-time-password (OTP) client built for iOS; Raivo OTP!

    I recently migrated all of my 2FA logins to Raivo [0]. It's iOS-only but open source and very nicely built. The key feature that made me switch is that it can export by 2FA tokens as a backup.

    I got worried when I started thinking about this scenario, and realized Google Authenticator offers no way to back up the tokens. The only way out is to transfer to a new device using a QR code. They pretty much lock you in to using Google Authenticator.

    And, crucially, backing up the phone DOESN'T SAVE THE TOKENS.

    I almost learned this the hard way when I got a new phone, restored from backup, and right before I wiped my old phone I decided on a lark to check that Google Authenticator was working on the new one. The app was there, but the tokens were not.


NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts