Antiarc has quit [Read error: Connection reset by peer]
havenwood has joined #rubygems-trust
havenwood has quit [Ping timeout: 246 seconds]
havenwood has joined #rubygems-trust
smile-on has joined #rubygems-trust
<smile-on>
Hello guys.
<smile-on>
I was directed here after reading http://tonyarcieri.com/lets-figure-out-a-way-to-start-signing-rubygems Here is my two cents about reasoning and system required. First, I'd like to express my support to your concern of having reliable authentication for software packages. I personally considered using ruby and ruby on rails in real business consulting service and was shocked by the way software is installed from single pub
<smile-on>
I am so glad to see that I am not alone in my paranoia! :) However you may fail to recognize this need for validation only comes form those who needs to put others soft into production they responsible for or creates packages as professional product (for sale).
<smile-on>
The other part of free software community (as in free beer) that creates soft just for fun or has no accountability simply do not see a need for such “extra burden”. What's for? :)
<smile-on>
<br/>
<smile-on>
I do see a valid reason in resistance of Rubygems.org to have signature implemented for all packages and having every commit signed. A lot packages in Ruby software world, with all my respect, look like one time show projects.
<smile-on>
Kids want to play and it is not easy to make sure toys are tidily put back to box after game time is over. Trust me, I am father of two kids. :) So the real goal is to create a tool only to those in need, no pushing in kindergarten.
<smile-on>
<br/>
<smile-on>
Therefor I see a realistic approach is to build some tool (gem) that would:
<smile-on>
- act as a wrapper over .../ruby/bin/gem and require few extra files in Gem set (extends gem spec);
<smile-on>
- can be used by gem authors to sign release version code with they own key;
<smile-on>
- ideally Rubygems.org providing ability to publish public key per project per version as optional info;
<smile-on>
- Once signed public key can not be changed but author can issue a new version with new pair of keys;
<smile-on>
- compromised releases can be removed by gem author or public key being removed by Rubygems.org admin;
<smile-on>
- at installation time a tool would refuse to install gem if public key was not manually added into local trusted key ring.
<smile-on>
<br/>
<smile-on>
That approach gives ability to have gem author to sale code and their service as a support to commercial projects. It gives you as a consumer ability to trust only to those you selected. Once under contract for they business a good quality gem will be naturally maintained by authors.
<smile-on>
In my mind “signature validation” in Debian packages is a good working example. To have a bullet proof signature mechanism would require CA (or few CAs).
<smile-on>
I see that feasible only if ruby soft would have a significant portion in commercial software. Until that we may collect and host a mirror copy of public keys on second independent host to make sure if rubygems.org is hacked then at time of adding key into local ring installation tool will be able to recognize forged public key for old known release.
<smile-on>
In mean time, you should trust to some one even with no CA.
<smile-on>
Any better ideas?
smile-on has quit [Quit: Page closed]
workmad3 has quit [Ping timeout: 252 seconds]
smile-on has joined #rubygems-trust
smile-on has quit [Quit: Page closed]
drbrain_ has joined #rubygems-trust
drbrain has quit [Ping timeout: 264 seconds]
drbrain_ has quit [Remote host closed the connection]
havenwood has quit [Remote host closed the connection]
havenwood has joined #rubygems-trust
drbrain has joined #rubygems-trust
drbrain has quit [Remote host closed the connection]
drbrain has joined #rubygems-trust
drbrain has quit [Ping timeout: 244 seconds]
drbrain has joined #rubygems-trust
jstr has joined #rubygems-trust
drbrain has quit [Ping timeout: 240 seconds]
havenwood has quit [Remote host closed the connection]
drbrain has joined #rubygems-trust
drbrain has quit [Ping timeout: 276 seconds]
drbrain has joined #rubygems-trust
drbrain has quit [Ping timeout: 240 seconds]
indirect has quit [Ping timeout: 260 seconds]
indirect has joined #rubygems-trust
drbrain has joined #rubygems-trust
jstr has quit [Quit: Computer has gone to sleep.]
drbrain has quit [Ping timeout: 248 seconds]
jstr has joined #rubygems-trust
drbrain has joined #rubygems-trust
drbrain has quit [Ping timeout: 256 seconds]
drbrain has joined #rubygems-trust
drbrain has quit [Ping timeout: 245 seconds]
geal has joined #rubygems-trust
drbrain has joined #rubygems-trust
drbrain has quit [Ping timeout: 245 seconds]
geal has quit [Ping timeout: 246 seconds]
workmad3 has joined #rubygems-trust
drbrain has joined #rubygems-trust
geal has joined #rubygems-trust
drbrain has quit [Ping timeout: 256 seconds]
workmad3 has quit [Ping timeout: 255 seconds]
jstr has quit [Quit: Computer has gone to sleep.]
drbrain has joined #rubygems-trust
drbrain has quit [Ping timeout: 245 seconds]
geal has quit [Ping timeout: 264 seconds]
drbrain has joined #rubygems-trust
workmad3 has joined #rubygems-trust
drbrain has quit [Ping timeout: 252 seconds]
drbrain has joined #rubygems-trust
<theartisan>
smile-on: n
drbrain has quit [Ping timeout: 245 seconds]
<theartisan>
smile-on: please refrain from pasting essays into the channel, link to them instead.
workmad3 has quit [Ping timeout: 252 seconds]
billdingo-afk is now known as billdingo
drbrain has joined #rubygems-trust
drbrain has quit [Ping timeout: 255 seconds]
whitequark has left #rubygems-trust [#rubygems-trust]