So the ruby community is going to attempt to run it's own vulnerability tracker and CA. This ought to end well.
@rich0H I'm more than qualified to run a CA. I'm the fucking karaoke DJ for DEFCON! If that doesn't qualify me I don't know what does
-
-
@bascule It's not about qualified to run a CA, it's about a trust network with no revocation infrastructure. -
@rich0H whole plan has been to support a CRL. One of the things this approach supports that others don't -
@bascule For all it's (many) flaws, PGP does revocation pretty well. I see Debian's package signing as an imperfect, but working and OSS ... -
-
@rich0H do you think it really makes sense for gpg to be a hard dependency of rubygems? Ruby isn't a Linux distro -
@bascule If you don't want to install GPG then just ignore the signatures and have no less security than you have right now? -
@rich0H OpenSSL is already in the Ruby standard library and RubyGems already supports X.509 certificates. Why switch to GPG? -
@bascule Too long for tweets. Where do you IRC? - 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.