Opt-in for MFA requirement explicitly

[tagliala]

As a pupular gem, regexp_parser implicitly requires that all privileged operations by any of the owners require OTP.

However, by explicitly setting rubygems_mfa_required metadata, the gem will show "NEW VERSIONS REQUIRE MFA" and "VERSION PUBLISHED WITH MFA" in the sidebar at https://github.com/ammar/regexp_parser

Ref:

• https://blog.rubygems.org/2022/08/15/requiring-mfa-on-popular-gems.html
• https://guides.rubygems.org/mfa-requirement-opt-in/

[jaynetics]

Thank you for the PR! However, this change is redundant as MFA has long been required for gems with a high number of downloads, and I'd rather not add code that has no effect.

[tagliala]

Hi,

thanks for your anwser

I know that it is required for gems with "a high number of downloads", however I've submitted the PR the same because it will explicitly add to rubygems "NEW VERSIONS REQUIRE MFA" and "VERSION PUBLISHED WITH MFA" fields.

I usually check all the libraries in our stack when there is an upgrade to confirm that it was pushed by a legit account

Ref: https://rubygems.org/gems/regexp_parser

This library

Rails

https://rubygems.org/gems/rails

[tagliala]

I can edit the commit message because the first one is a copy & paste.

For this gem, it would more appropriate to add the fact that explicitly enabling mfa will show metadata information on rubygems

[tagliala]

Rebased and reworded, now it should be better

[mbj]

Yeah so this is about making the MFA fact more "machine parsable" not so much about changing the fact MFA is required. I know / run corporate tools that scan for this signal. It makes regexp_parser more easy to integrate into a dependency tree.

All my popular gems are also under that explicit metadata signal BTW.

[jaynetics]

That makes sense, thanks for the explanations. I've released v2.9.2 with this change.