Comments (2)
@sds - Ahh good point! I was playing with the security settings and it seemed like this only affected childprocess
and rubyzip
, but I think that is because my machine had the other gems cached. Sorry for the confusion!
I totally agree that the gem signing ecosystem isn't the greatest of trust models, but the community is currently operating with the trust model that all of the contributors to gems have set up 2FA and that their rubygems.org accounts have not been compromised, which I feel is an even worse trust model.
I absolutely don't want to start a flame war over this, but in light of the recent compromises to gems that could destroy companies like mine, I'd like to think about and push the ruby/opensource communities to have better security, even if it's not perfect just yet.
It seems like you have a lot of experience maintaining gems and thinking about their security. I would love to pick your brain and bounce ideas off of you if you have time. If you are in SF I'd be happy to buy you a beer/coffee/drink to hear more about your thoughts.
from childprocess.
Is childprocess
the only gem for which you're getting this error?
It is relatively rare in the RubyGems ecosystem to sign gems. Even rails
(a massive project) does not sign its gems.
If we were to sign, you are putting trust in the supply chain of the set of people who are "owners" of the childprocess
gem: https://rubygems.org/gems/childprocess. If you were to trust our certificate, you would trust any gem signed by our certificate. From https://guides.rubygems.org/security/
Gem certificates are trusted globally, such that adding a cert.pem for one gem automatically trusts all gems signed by that cert.
Do you want to extend that trust to us? I wouldn'tβthat's not a great trust model.
If you're particularly paranoid, the best you can hope to achieve is to visit the releases page, check that the signature on the release is signed by one of the maintainers, and then download that release and build and install the gem yourself locally. Hope that helps.
from childprocess.
Related Issues (20)
- Redirect to IO.pipe on Windows causes inability to start a process HOT 6
- FFI is a required pre-requisite HOT 4
- Pipe i/o example in documentation is incorrect HOT 2
- Erro ao rodar o comando rspec -fd HOT 1
- childprocess kills detached windows process on exit HOT 4
- FFI is a required pre-requisite for Windows or posix_spawn support in the ChildProcess gem. HOT 1
- A backend based on Process.spawn HOT 12
- Ruby 3.0 support HOT 10
- code hanging attempting to @thread.join HOT 1
- Should work for the M1 chip, but needs to be mapped or smth
- `host_cpu` changes between Ruby 2.7.2 and 2.7.3 HOT 2
- FFI installes but rake test get error HOT 4
- cannot load such file -- ffi (LoadError) HOT 2
- Use with StringIO HOT 1
- posix_spawn is not yet supported on aarch64-linux (aarch64-linux), HOT 2
- posix_spawn is not yet supported on sparc-solaris (sparc-solaris2.11) HOT 1
- I happen to be having this error after even having all both ruby, gem, and even chocolatey handy HOT 2
- Test suite is going to be broken with Ruby 3.3 HOT 1
- differences between macos and linux HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from childprocess.