unicorn Ruby/Rack server user+dev discussion/patches/pulls/bugs/help
 help / color / Atom feed
* Signing the gem with a PGP key
@ 2013-03-11 19:57 Hongli Lai
  2013-03-11 22:48 ` Eric Wong
  0 siblings, 1 reply; 4+ messages in thread
From: Hongli Lai @ 2013-03-11 19:57 UTC (permalink / raw)
  To: unicorn list

After the recent Rubygems.org hack it became clear that somethings
needs to be done about authenticating gems. One of the efforts that
was launched is http://www.rubygems-openpgp-ca.org/. We at Phusion
have just finished signing all our gems and repositories with our PGP
key, and our PGP key has been verified and signed by this CA.

It would be great if Unicorn can participate as well by signing future
releases. If you already use GnuPG then the process is extremely
straightforward.

-- 
Phusion | Ruby & Rails deployment, scaling and tuning solutions

Web: http://www.phusion.nl/
E-mail: info@phusion.nl
Chamber of commerce no: 08173483 (The Netherlands)
_______________________________________________
Unicorn mailing list - mongrel-unicorn@rubyforge.org
http://rubyforge.org/mailman/listinfo/mongrel-unicorn
Do not quote signatures (like this one) or top post when replying

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Signing the gem with a PGP key
  2013-03-11 19:57 Signing the gem with a PGP key Hongli Lai
@ 2013-03-11 22:48 ` Eric Wong
  2013-03-11 23:10   ` Hongli Lai
  0 siblings, 1 reply; 4+ messages in thread
From: Eric Wong @ 2013-03-11 22:48 UTC (permalink / raw)
  To: unicorn list

Hongli Lai <hongli@phusion.nl> wrote:
> After the recent Rubygems.org hack it became clear that somethings
> needs to be done about authenticating gems. One of the efforts that
> was launched is http://www.rubygems-openpgp-ca.org/. We at Phusion
> have just finished signing all our gems and repositories with our PGP
> key, and our PGP key has been verified and signed by this CA.
> 
> It would be great if Unicorn can participate as well by signing future
> releases. If you already use GnuPG then the process is extremely
> straightforward.

Can we designate gems be signed by a trusted third party (e.g. you?)
That's how Debian (and presumably other OS distros work).

_Nobody_ should trust me.  I have and maintain zero credibility.
The only credibility any unicorn has is what its users give it.
_______________________________________________
Unicorn mailing list - mongrel-unicorn@rubyforge.org
http://rubyforge.org/mailman/listinfo/mongrel-unicorn
Do not quote signatures (like this one) or top post when replying

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Signing the gem with a PGP key
  2013-03-11 22:48 ` Eric Wong
@ 2013-03-11 23:10   ` Hongli Lai
  2013-03-11 23:59     ` Eric Wong
  0 siblings, 1 reply; 4+ messages in thread
From: Hongli Lai @ 2013-03-11 23:10 UTC (permalink / raw)
  To: unicorn list

On Mon, Mar 11, 2013 at 11:48 PM, Eric Wong <normalperson@yhbt.net> wrote:
> Can we designate gems be signed by a trusted third party (e.g. you?)
> That's how Debian (and presumably other OS distros work).
>
> _Nobody_ should trust me.  I have and maintain zero credibility.
> The only credibility any unicorn has is what its users give it.

Well the kind of trust we're talking about here is not trustworthiness
(i.e. "does the software work well and will it refrain from formatting
my harddisk?"), but authenticity ("is this gem made by the Unicorn and
not someone pretending to be him?"). Given that definition of "trust",
having a third party sign the gem is not very useful, and letting you
sign the gem will not make it a statement about trustworthiness,
warranty or credibility.

What do you think?

-- 
Phusion | Ruby & Rails deployment, scaling and tuning solutions

Web: http://www.phusion.nl/
E-mail: info@phusion.nl
Chamber of commerce no: 08173483 (The Netherlands)
_______________________________________________
Unicorn mailing list - mongrel-unicorn@rubyforge.org
http://rubyforge.org/mailman/listinfo/mongrel-unicorn
Do not quote signatures (like this one) or top post when replying

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Signing the gem with a PGP key
  2013-03-11 23:10   ` Hongli Lai
@ 2013-03-11 23:59     ` Eric Wong
  0 siblings, 0 replies; 4+ messages in thread
From: Eric Wong @ 2013-03-11 23:59 UTC (permalink / raw)
  To: unicorn list

Hongli Lai <hongli@phusion.nl> wrote:
> On Mon, Mar 11, 2013 at 11:48 PM, Eric Wong <normalperson@yhbt.net> wrote:
> > Can we designate gems be signed by a trusted third party (e.g. you?)
> > That's how Debian (and presumably other OS distros work).
> >
> > _Nobody_ should trust me.  I have and maintain zero credibility.
> > The only credibility any unicorn has is what its users give it.
> 
> Well the kind of trust we're talking about here is not trustworthiness
> (i.e. "does the software work well and will it refrain from formatting
> my harddisk?"), but authenticity ("is this gem made by the Unicorn and
> not someone pretending to be him?"). Given that definition of "trust",
> having a third party sign the gem is not very useful, and letting you
> sign the gem will not make it a statement about trustworthiness,
> warranty or credibility.
> 
> What do you think?

The only thing that matters in the end is whether the code is good or not.

I have the same likelyhood of having my GPG key compromised as I do of
writing broken code that breaks things horribly: a very likely one.

I make my commits public and and send patches to mailing lists to
encourage others to verify what I'm doing isn't horribly broken.  I
never tell anybody to accept patches/code based on who wrote it; same
goes for gems/tarballs.

So yes, gems/tarballs should have the same level of scrutiny as every
commit.


If somebody else assumed my identity, but continued doing things in the
way I've done in the past; unicorn users would not (nor should they)
notice the difference.  That may've already happened :)
_______________________________________________
Unicorn mailing list - mongrel-unicorn@rubyforge.org
http://rubyforge.org/mailman/listinfo/mongrel-unicorn
Do not quote signatures (like this one) or top post when replying

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, back to index

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-03-11 19:57 Signing the gem with a PGP key Hongli Lai
2013-03-11 22:48 ` Eric Wong
2013-03-11 23:10   ` Hongli Lai
2013-03-11 23:59     ` Eric Wong

unicorn Ruby/Rack server user+dev discussion/patches/pulls/bugs/help

Archives are clonable:
	git clone --mirror https://yhbt.net/unicorn-public
	git clone --mirror http://ou63pmih66umazou.onion/unicorn-public

Example config snippet for mirrors

Newsgroups are available over NNTP:
	nntp://news.public-inbox.org/inbox.comp.lang.ruby.unicorn
	nntp://ou63pmih66umazou.onion/inbox.comp.lang.ruby.unicorn

 note: .onion URLs require Tor: https://www.torproject.org/

AGPL code for this site: git clone https://public-inbox.org/public-inbox.git