20:22 <zaolin> Hey guys

20:25 <zaolin> Any plans of implementing GPG support for gems in the future ?

20:32 <havenwood> zaolin: It has been discussed and there are some tools that do just that. It seemed the preferred direction was TUF and there's a branch that started working on it but i don't think it's ever been completed: https://theupdateframework.github.io

20:33 <havenwood> zaolin: https://github.com/rubygems/rubygems/pull/719

20:34 <havenwood> zaolin: https://docs.google.com/document/d/1fobWhPRqB4_JftFWh6iTWClUo_SPBnxqbBTdAvbb_SA/edit

20:35 <havenwood> zaolin: https://github.com/grant-olson/rubygems-openpgp

20:42 <zaolin> havenwood: oh good so tuf implements their own x509 crap instead of using a well established and distributed technology like GPG. Oo

20:43 <zaolin> But anyway good to hear that someone tried to improve the situation.

20:54 <zaolin> Any idea why https://github.com/grant-olson/rubygems-openpgp was stalled ?

23:00 <drbrain> main problem with GPG is there's no GPG extension in ruby's standard library

23:00 <drbrain> last I checked X.509 was better established and distributed that GPG

23:01 <drbrain> I'm even using X.509 to send messages over IRC

23:10 <zaolin> drbrain: backticks should work without problems for calling gpg under different operating systems. Building an own PKI via x509 certificates is total overbloat, not easy and also dangerous to use if you dont know what you are doing. GPG is secure and probably unbroken by the NSA.

23:11 <drbrain> backticks?

23:11 <drbrain> you're joking, right?

23:11 <drbrain> backticks are the worst way of executing child processes from ruby

23:12 <drbrain> "probably unbroken by the NSA" is the joking part

23:13 <drbrain> backticks are the worst way because:

23:13 <drbrain> you are forced to use interpolation which makes you vulnerable to shell-escaping

23:14 <drbrain> you can't control the size of the child processes output

23:14 <drbrain> stderr and stdout are mixed

23:15 <drbrain> you don't get a PID to exercise process control

23:15 <drbrain> you can't control stdin

23:16 <drbrain> Process.spawn gives you all of ↑ but then you're left with parsing output of a program you don't control that users will upgrade ad-hoc possibly breaking you in the future

23:17 <zaolin> drbrain: Take a look at the android apk infrastructure of google, same problem. Backticks -> who cares, then use something else which isn't a gem and secure.

23:18 <drbrain> why do you think we should invest the free labor for something almost nobody wants?

23:20 <drbrain> sometimes we get lucky and people say "RubyGems should improve security, I'm going to do something about it"

23:20 <drbrain> then they make something that half works and walk away

23:25 <zaolin> drbrain: I totally understand. I am dev in more than one big opensource project. You started the discussion :) . But yeah maybe I am planing on contributing something.

23:30 <zaolin> Or helping out with finishing the tuf stuff. How is the state there ?

23:33 <drbrain> I'm unsure, it falls under the "almost nobody wants" bucket as well

23:45 <zaolin> I am not sure if its about "nobody wants it" or a package manager should include "security by default" . But I agree the most webdevs don't seem to care about security.