Remember, 'signing gems' is a panacea.
-
-
Replying to @steveklabnik
@steveklabnik Right, you could sign a malicious gem. At least you'd know who made it?2 replies 0 retweets 0 likes -
Replying to @seancribbs
@seancribbs not just that, but the current state of gem signing is pretty poor. For good reasons.2 replies 0 retweets 0 likes -
Replying to @steveklabnik
@steveklabnik@seancribbs I remember looking into signing before speaking on gems at RubyC - never got the impression it was helpful.1 reply 0 retweets 0 likes -
Replying to @pat
@pat@seancribbs it is as helpful as a SHA1 of the contents.2 replies 0 retweets 0 likes -
Replying to @steveklabnik
@steveklabnik@pat Yes, you need identity verification as well as integrity. Even that may not be enough /cc@bascule1 reply 0 retweets 0 likes -
Replying to @seancribbs
@seancribbs@pat@bascule yepp. And we can do it, it just takes work!2 replies 0 retweets 0 likes -
Replying to @steveklabnik2 replies 0 retweets 0 likes
-
Replying to @bascule
@bascule@steveklabnik@seancribbs interesting, though could release a legit gem, then a malicious update. Review code, or just identity?1 reply 0 retweets 0 likes
@pat @steveklabnik @seancribbs my proposal is just for reviewing publisher identities. Re: malicious gems, see #4 under Attack Surface
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.