Expand gem security build/install instructions; add checksum #70
Conversation
|
Re: https://github.com/YorickPeterse/ruby-lint/issues/72#issuecomment-29004447 I do not think that the rubygems PGP CA is worth mentioning/using. Although the idea in itself was interesting it was of little value over the existing key server infrastructure out there. Having a single developer act as a CA is no more secure than a group of developers that share mutual trust. Whether it's worth mentioning the PGP plugin is also something I'm not sure about. This isn't per definition because PGP is back but because unless it's enforced (that is, RubyGems enforces signed packages only) nobody will use it. In fact, although I do sign ruby-lint myself I've yet to see a single other Gem do it. Personally I'm considering to stop signing Gems using PGP as based on my own use and the use of others I consider it no more secure than providing a list of SHA1 checksums in a Git repository. The built-in certificate signing system is definitely worth mentioning although I don't think it solves anything. Users are required to set trust levels, put all kinds of extra stuff in Gemspecs and due to it not being enforced it will only be a massive pain. For example, if the Rails maintainers decide to sign OK so I kinda went off topic there. To cut a long story short: I don't think mentioning GPG is worth it unless it becomes a standard, which it probably never will due to it not being available on every platform. For certificate signing it's important to state both the upsides and downsides as well as why one should do it in the first place. Just listing a bunch of commands isn't going to get Average Joe or Average Alice to suddenly sign their Gems. |
|
Thanks @yorickpeterse, @grant-olson was just giving me similar advice to abandon use of the ca until it gets official backing, and for any gems using openpgp, to ask users to trust keys on an individual basis, as he notes at the bottom of the stackdriver-ruby readme |
|
This week employees of Square are working on adding TUF to RubyGems which will probably replace the existing signing code. It's not worth inclusion yet, though. |
|
Ok, @drbrain @yorickpeterse @grant-olson what do you think of this? |
|
There's a small typo: should be |
|
@yorickpeterse Ha, thanks! |
|
After a glance, it looks OK to me! |
Expand gem security build/install instructions; add checksum; recommend against OpenPGP
|
Ok, merged. Still needs attention, but I think this is a marked improvement (thanks to all comments!) |
|
I think the questions asked in #62 would be good content to add:
|
3063: Updates to some old gem-signing docs. r=bronzdoc a=tiegz # Description: Some of the gem-signing docs are out-of-date since most of them were updated in 2012: * `gem build` includes a single checksum file now, relpacing the old *.sum files, as of 3f2e059 * updates the results of the `gem help cert` command in the docs with newer flags * replaces an old YAML method that was removed from Psych Additional question: I almost replaced ~/.gem in these docs with ~/.ssh for storing gem signing keys, since the [Rubygems guides use ~/.ssh](https://guides.rubygems.org/security/), for consistency between docs + guides. But then I wondered "why would you store gem signing keys in an ssh folder?" and couldn't find an explanation in rubygems/guides#70 . Curious which one would be best. # Tasks: - [x] Describe the problem / feature - [ ] Write tests - [ ] Write code to solve the problem - [ ] Get code review from coworkers / friends I will abide by the [code of conduct](https://github.com/rubygems/rubygems/blob/master/CODE_OF_CONDUCT.md). Co-authored-by: Tieg Zaharia <[email protected]>
For review, @drbrain
cc @yorickpeterse
cc @grant-olson
cc @tarcieri