deivid-rodriguez
commented
5 years ago I'm happy to enable 2FA if it's for the best! :)
Closed colby-swandale closed 5 years ago
deivid-rodriguez
commented
5 years ago I'm happy to enable 2FA if it's for the best! :)
The bootstrap-sass gem gem was recently the target of an attack that saw a malicious version being published to RubyGems.org. This offers a good opportunity to review the processes & policies of the Bundler project to ensure that the core team is following best practices and taking active steps to minimize risk of a malicious version being published to users.
RubyGems 2FA
RubyGems.org recently added the ability to enable 2FA for users, which requires a one time token to be entered when logging into RubyGems.org and when publishing a new version of a Gem via the CLI.
This offers an extra barrier of protection from attackers gaining the ability to publish a malicious version of Bundler to RubyGems.org.
Proposal to enable 2FA on accounts with access to Bundler
I would like to make a proposal for a new policy that sets a requirement for all core team members to enable 2FA on RubyGems.org. This helps protect accounts from attackers in the event that an RubyGems.org API key is leaked, or an attacker successfully gains access to a core team member's login credentials.
Unfortunately there is no way to enforce this setting in RubyGems.org, but taking members on their word should be suitable enough.
If this proposal is accepted, the core team would organize a time frame for the users with access to Bundler on RubyGems.org to enable 2FA on their accounts. After which, if any account that has access to Bundler on RubyGems.org that does not have 2FA enabled may have their access removed.
Feedback welcome.