search

samvera / maintenance

Organizing repository for the Core Components Maintenance Interest Group.
Apache License 2.0
0 stars 3 forks source link

Reconcile RubyGems with GitHub Team privileges #102

Open jrgriffiniii opened 2 years ago

jrgriffiniii commented 2 years ago

As discussed on the RubyGems documentation:

RubyGems has had the ability to cryptographically sign gems since version 0.8.11. This signing works by using the gem cert command to create a key pair, and then packaging signing data inside the gem itself. The gem install command optionally lets you set a security policy, and you can verify the signing key for a gem before you install it.

In order to define a policies for publishing Gems securely, I would please propose that the following criteria be met:

  1. Gem publishers need be active members of the Samvera Community (members of the contributors Team on GitHub)
  2. Gem publishers need select a single e-mail address for usage in Gem specifications (.gemspec files)
    1. An individual may have multiple e-mail addresses in different .gemspec files, each linked to past roles within different organizations (there are certainly cases where an individual may move between organizations or change roles while remaining active members of Samvera). In this case, I propose that there be a primary e-mail address reserved for Samvera contributions
  3. Gem publishers need generate and manage their own self-signed Gem certificate using gem cert --build your@email.com
  4. RubySec be referenced for any existing Gem vulnerabilities which may readily affect the release of a new Gem
jrgriffiniii commented 2 years ago

https://github.com/samvera/maintenance#updating-gem-ownership-permissions features the steps involved in ensuring that RubyGems ownership permissions are updated.

jrgriffiniii commented 2 years ago

https://github.com/samvera/maintenance/blob/main/script/grant_revoke_gem_authority.rb#L104 conditions upon the admin team membership to update RubyGems permissions.

jrgriffiniii commented 2 years ago

Realistically, I suspect that this is going to be blocked by https://github.com/samvera/maintenance/issues/121

jrgriffiniii commented 2 years ago

https://github.com/samvera/maintenance/pull/123 advances this to some extent, but I suspect that questions will still need to be posed to the Samvera Community in order to gauge how best to document RubyGems projects which are anomalies.