RubyGems now requires MFA for owners of top gems

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com
Package Management Swift OTP Gems Packages and Applications

WorkOS
Our great sponsors
  • WorkOS - The modern identity platform for B2B SaaS
  • InfluxDB - Power Real-Time Data Analytics at Scale
  • SaaSHub - Software Alternatives and Reviews
Our great sponsors

  • RubyGems

    The Ruby community's gem hosting service.

    • If anyone is looking to do some open source contributions on a mature, production Ruby on Rails site, I highly recommend contributing to the rubygems.org project. The code is extremely clean and the repo is very, very well run.

    https://github.com/rubygems/rubygems.org

  • CocoaPods

    The Cocoa Dependency Manager.

    • This is fantastic work by the RubyGems maintainers!

    One interesting (IMO) aspect of this: there are secondary package ecosystems that piggyback on RubyGems that don't qualify for the 2FA mandate at the moment (since, as user-installed packages, they don't have quite the same volume as an extremely popular library package).

    The biggest one I can thing of is CocoaPods[1] -- huge swaths of the iOS and macOS ecosystems rely on it, but it has "only" 57 million RubyGems downloads[2] and therefore doesn't qualify as a top-100 package. This demonstrates (again, IMO) the need for manual curation on top of a uniform policy for the top N packages.

    [1]: https://cocoapods.org/

    [2]: https://rubygems.org/gems/cocoapods

  • WorkOS

    The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.

    WorkOS logo

  • ios-application

    A native, lightweight and secure one-time-password (OTP) client built for iOS; Raivo OTP!

    • I recently migrated all of my 2FA logins to Raivo [0]. It's iOS-only but open source and very nicely built. The key feature that made me switch is that it can export by 2FA tokens as a backup.

    I got worried when I started thinking about this scenario, and realized Google Authenticator offers no way to back up the tokens. The only way out is to transfer to a new device using a QR code. They pretty much lock you in to using Google Authenticator.

    And, crucially, backing up the phone DOESN'T SAVE THE TOKENS.

    I almost learned this the hard way when I got a new phone, restored from backup, and right before I wiped my old phone I decided on a lark to check that Google Authenticator was working on the new one. The app was there, but the tokens were not.

    0: https://raivo-otp.com/

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts