So the ruby community is going to attempt to run it's own vulnerability tracker and CA. This ought to end well.
@rich0H whole plan has been to support a CRL. One of the things this approach supports that others don't
-
-
@bascule For all it's (many) flaws, PGP does revocation pretty well. I see Debian's package signing as an imperfect, but working and OSS ... -
-
@rich0H do you think it really makes sense for gpg to be a hard dependency of rubygems? Ruby isn't a Linux distro -
@bascule If you don't want to install GPG then just ignore the signatures and have no less security than you have right now? -
@rich0H OpenSSL is already in the Ruby standard library and RubyGems already supports X.509 certificates. Why switch to GPG? -
@bascule Too long for tweets. Where do you IRC? -
@rich0H#rubygems-trust is where this is being discussed. See also: https://github.com/rubygems-trust
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.