As discussed on the RubyGems documentation:
RubyGems has had the ability to cryptographically sign gems since version 0.8.11. This signing works by using the gem cert command to create a key pair, and then packaging signing data inside the gem itself. The gem install command optionally lets you set a security policy, and you can verify the signing key for a gem before you install it.
In order to define a policies for publishing Gems securely, I would please propose that the following criteria be met:
- Gem publishers need be active members of the Samvera Community (members of the
contributors Team on GitHub)
- Gem publishers need select a single e-mail address for usage in Gem specifications (
.gemspec files)
- An individual may have multiple e-mail addresses in different
.gemspec files, each linked to past roles within different organizations (there are certainly cases where an individual may move between organizations or change roles while remaining active members of Samvera). In this case, I propose that there be a primary e-mail address reserved for Samvera contributions
- Gem publishers need generate and manage their own self-signed Gem certificate using
gem cert --build your@email.com
- RubySec be referenced for any existing Gem vulnerabilities which may readily affect the release of a new Gem
As discussed on the RubyGems documentation:
In order to define a policies for publishing Gems securely, I would please propose that the following criteria be met:
contributorsTeam on GitHub).gemspecfiles).gemspecfiles, each linked to past roles within different organizations (there are certainly cases where an individual may move between organizations or change roles while remaining active members of Samvera). In this case, I propose that there be a primary e-mail address reserved for Samvera contributionsgem cert --build your@email.com