@dwradcliffe Doing a story for @rubyfive on the gem replacement deal. Is there any integrity checking for .gem files when installing?
-
-
Replying to @olivierlacan
@olivierlacan@dwradcliffe@rubyfive on bundler/gem clients? no there isnt.1 reply 0 retweets 1 like -
Replying to @arthurnn
@arthurnn@dwradcliffe Ok, noted. Would I be a dick for suggesting we should do that on the podcast? Or is there an existing effort?1 reply 0 retweets 0 likes -
Replying to @olivierlacan
@olivierlacan@arthurnn I was thinking about that too. It's something we should consider, I think.1 reply 0 retweets 0 likes -
Replying to @dwradcliffe
@dwradcliffe@arthurnn Wouldn’t this be an even better first step than pushing for gem signing?3 replies 0 retweets 0 likes -
Replying to @olivierlacan
@olivierlacan@dwradcliffe but indeed, it would be a good first step.2 replies 0 retweets 0 likes -
Replying to @arthurnn
@arthurnn@dwradcliffe But what if it’s two endpoints? Doesn’t that reduce the likelihood of MITM? Get the .gem from one, the SHA elsewhere?1 reply 0 retweets 0 likes -
Replying to @olivierlacan
@olivierlacan@dwradcliffe Yeah, it would be two different sources. as the SHA would go to the index, and .gem from s3.1 reply 0 retweets 1 like -
Replying to @arthurnn
@olivierlacan@dwradcliffe we tried that in the past https://github.com/rubygems/rubygems.org/commit/5243ca33c090fac687ad44ae836b2cd4ac462edc#diff-3c35bc805bbb122cee7af2e3884a4d66L73 … but reverted https://github.com/rubygems/rubygems.org/commit/68e3d6356cf19542edd2d6630f246c1000324389 … as we broke the index2 replies 0 retweets 0 likes
@arthurnn @olivierlacan @dwradcliffe You should revert that a few more times just for the commit message
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.