theartisan changed the topic of #rubygems-trust to: Current Status: drafting requirements. please leave comments on http://goo.gl/ybFIO :: Logs at http://irclog.whitequark.org/rubygems-trust
* theartisan has had too much to drink to follow this conversation.
<havenwood> Have you guys seen the rubygems-openpgp CA (i've read gpg is a nonstarter but this did seem to work quite well to public a key)?: http://www.rubygems-openpgp-ca.org
<havenwood> s/to public/to submit
billdingo is now known as billdingo-afk
<kseifried> havenwood, : no native support for gpg, also on windows it's not fun
<kseifried> havenwood, : so chances are the solution will use X.509/etc
<havenwood> kseifried: I'm not trying to start up the gpg/openssl debate. I do think Grant's CA is a nice blend of verifying the gem author with not being invasive or slow though.
<havenwood> (Submitting an email address and Rubygems profile page.)
<havenwood> His requirements for your RubyGems profile url are: 1) one or more non-trivial gem, 2) gemspec email must match submitted email.
<havenwood> s/gem/gem(s)
<tarcieri> havenwood: invasive == having to install gpg to use it
<tarcieri> also I think postmodern found shell escaping bugs in rubygems-openssl?
<tarcieri> heh
<havenwood> tarcieri: For Windows users. Yes. But isn't everything invasive on Windows? :P
<tarcieri> shelling out to a third party tool to provide security... SEEMS BAD
<tarcieri> saying "fuck Windows" SEEMS BAD
<havenwood> tarcieri: did he? eek...
<havenwood> tarcieri: Obviously that isn't an option...
<tarcieri> and why are we doing this?
<tarcieri> because CRLs are hard? because OCSP is hard?
<tarcieri> how do I shot RFC 5280?
<havenwood> tarcieri: I'm not suggesting his CA is a viable option. I do like the validation steps though. Email, RubyGems profile, email matches RubyGem gem gemspec emails.
<tarcieri> that's about all I hear out of anyone
<tarcieri> my response is like "notreallybro?"
<tarcieri> I've... done this shit before
<tarcieri> professionally
<tarcieri> you'll be fine... just breathe
<dstufft> kseifried: interestingly you can bundle gpg on windows with 2 files
<havenwood> I think I didn't phrase what I mean very well (on Benadryl for head-cold). I think his gem author key registration process was fast and non-invasive. Seems people have beaten "gpg is a nonstarter" into the ground, just pointed his CA out cause I like the minimal but fast steps an author takes.
<dstufft> kseifried: and it doesn't infect your codebase license assuming you use subprocessing to interact with it
<havenwood> Nevermind... I just can't write what I mean today.
<dstufft> kseifried: Sadly the python solution is probably going to involve GPG because of political reasons, so I know now this D:
<dstufft> now know
<dstufft> words: a hard thing
<tarcieri> havenwood: it's a nonstarter for an official solution
<tarcieri> havenwood: so unless the GPG CA blows up into an awesome solution everyone is happy with, it's likely that RubyGems proper will ship something else
<havenwood> Since I fail at English today, lemme try Ruby :P: { grant_ca: { gpg: ['non-starter', 'not trying to argue for it'], process_to_register_as_gem_author: ['fast', 'non-invasive'] } }
<havenwood> tarcieri: I doubt it will blow up. If it isn't a RubyGems-sponsored solution will be hard to gain any traction.
<tarcieri> confirm ;)
davidbalbert is now known as davidbalber|away
havenwood has quit [Remote host closed the connection]
qmx|away is now known as qmx
<kseifried> gpg in't he end of the world, but long term it is annoying in some ways, ahwell
<tarcieri> what's supposed to happen?
<tarcieri> is RubyGems supposed to go:
<tarcieri> "GPG not found! Plz 2 be installing GPG if you want teh securitay"
<tarcieri> and how many people will actually install it
<tarcieri> even if prompted every time they do anything with gems
<tarcieri> security shouldn't be optional
<tarcieri> then how many people will be like
<drbrain> tarcieri: RubyGems did the same with OpenSSL for a long time
<tarcieri> "I got some stupid gem error about security, so I uninstalled gpg and now it works like a charm!"
<drbrain> now OpenSSL is required to install gems
<tarcieri> drbrain: seems good bro, so why go back? ;)
<tarcieri> the thing that like... pisses me the fuck off, makes me seriously angry about this whole thing
<tarcieri> I'm like
<tarcieri> "Use PKI"
<tarcieri> people are like "you don't know anything about PKI. it's way hard. how do you do revocation? PKI is so fucking hard and this is all built into GPG"
<tarcieri> and I'm like
<tarcieri> o_O
<tarcieri> Have you done PKI professionally?
<tarcieri> I HAVE
<kseifried> seriously?
<tarcieri> oh
<tarcieri> you haven't
<tarcieri> you're just TALKING OUT YOUR FUCKING ASS
<tarcieri> well thanks for your uninformed opinion
* kseifried shuts up before he goes off about users again :P
<tarcieri> lol
<drbrain> oh, kseifried did you ping me this morning?
<kseifried> yes
<tarcieri> I'm not saying PKI is easy
<kseifried> ahhh yes I did
<kseifried> ok
<kseifried> uhm
<tarcieri> but it's certainly doable
<kseifried> oh yeah
<tarcieri> and the threat model is well known
<kseifried> I was wondering
<kseifried> so many rubygems list 1 or more people associated with the gem, sometimes with email addresses
<kseifried> ok so far
<kseifried> so to submit security reports to them
<kseifried> I was wondering how much work it would be to support something for that
<tarcieri> I'd like to try adding CRLs to rubygems proper
<kseifried> like security-rubygem-name@rubygems.org for example that then forwards on to the developers or an email address(es) they set
<tarcieri> so many projects, so little time
<drbrain> kseifried: all that should be in the rubygems.org database, so server-side, not much work
<kseifried> drbrain: problwm is if it's more than one person ont he gem for all I know one guy is just there for spell checking or whatever, so I'd rather not send embargoed security issues to all random people
<drbrain> kseifried: rubygems 2.x has metadata
<drbrain> so we'll be able to define a tighter list
<kseifried> drbrain, : I'm starting to audit gems, as are other people, but there's no sane way to contact them
<tarcieri> drbrain: so now that OpenSSL is semi-ubiquitous, should we throw that all away and shell out to an optional third party tool? ;)
<tarcieri> drbrain: and deal with shell escaping bugs as part of the attack surface? ;)
<kseifried> tarcieri, : no. you should write something from scratch!
<drbrain> tarcieri: on windows shelling out gives me bad feelings
<tarcieri> or people hijacking PATH
<tarcieri> kseifried: cool, I'll get right on TonySignatures
<tarcieri> drbrain: haha yeah that too
<kseifried> tarcieri, : no you wanna be leet, use something from djb but make it worse
<drbrain> kseifried: rubygems.org also has the "owner" email which is separate from the author
<tarcieri> kseifried: that's what I'm working on :|
<drbrain> only owners are allowed to push, so it (should) be more restrictive than authors
<kseifried> drbrain, : so .. hrmm
<kseifried> drbrain, : is there only ever _1_ owner, and then 1 or more authors?
<drbrain> there can be multiple authors
<kseifried> hrmm
<kseifried> well
<kseifried> ideally I'd rather have a specified "Security" contact(s)
<kseifried> but that requires opt-in and people setting shit up
<drbrain> but since authors have the keys to the castle it should be people who care about security
<kseifried> which won't happen reliably
<kseifried> yah
<kseifried> you'd think/hope so
<drbrain> at the very least, they have the authority to do something about it
<kseifried> so would you be willing to do like a generic setup for rubygem-fo-security@ to point t them?
<kseifried> my one concern would be spam/etc.
<drbrain> I think it's a sensible thing to do
<kseifried> but at this point everyone should have decent anti spam
<drbrain> would the restriction of needing a rubygems.org account to post (via webform) to the email initially be sufficient?
<drbrain> still, yeah, people have decent anti-spam
<kseifried> drbrain, : as lon as it's not to painful
<kseifried> like I bet I'll find a few dozen/hundred issues once I start my audit
<kseifried> OTOH a web form provides you the ability to have specific fields for the security report
<kseifried> so better chance of a sane security report
<kseifried> rather than "my cat wears a tinfoil hat but your software talks to the martians and BLARGLE WARGLE AAAAA"
<drbrain> hehe
<kseifried> no seriously
<kseifried> we have a guy who claims to own pi email secalert@ once a month
<drbrain> the only trouble I see with a web form is that rubygems.org would need a mail processor to keep the list replies going after that
<kseifried> uhhmm no
<kseifried> just set reply-to header
<kseifried> and set from as like "you-idiot-use-the-reply-to@rubygems.org"
qmx is now known as qmx|away
alexspeller has quit [Ping timeout: 252 seconds]
namelessjon has quit [Ping timeout: 252 seconds]
alexspeller has joined #rubygems-trust
namelessjon has joined #rubygems-trust
havenwood has joined #rubygems-trust
<kseifried> drbrain, you lied to me I think
<kseifried> e.g. https://rubygems.org/gems/timecop has 2 owners and 2 authors
<kseifried> I thought you said 1 owner per gem?
<raggi> you can have many of both
workmad3 has joined #rubygems-trust
sferik has joined #rubygems-trust
havenwood has quit [Remote host closed the connection]
workmad3 has quit [Ping timeout: 260 seconds]
sferik has quit [Quit: Computer has gone to sleep.]
sferik has joined #rubygems-trust
workmad3 has joined #rubygems-trust
havenwood has joined #rubygems-trust
billdingo-afk is now known as billdingo
sferik has quit [Quit: Computer has gone to sleep.]
billdingo is now known as billdingo-afk
billdingo-afk is now known as billdingo
qmx|away is now known as qmx
qmx has quit [Changing host]
qmx has joined #rubygems-trust
_kgo_ has joined #rubygems-trust
<_kgo_> Do all the shit-talking on rubygems-openpgp you want, but I would appreciate it if people would stop comparing real, implemented, available, and yes flawed systems vs hypothetical 100% adopted and perfectly secure systems that may or may not exist 6 months or a year from now.
indirect_ has joined #rubygems-trust
<_kgo_> Certs in the current solution aren't even encrypted and we're going to nitpick about shell scripting bugs in a proof-of-concept I threw together in a weekend?
drbrain has quit [Ping timeout: 248 seconds]
indirect has quit [Ping timeout: 248 seconds]
indirect_ is now known as indirect
<_kgo_> Anyway, that's all I have to say.
_kgo_ has quit [Quit: Leaving]
drbrain has joined #rubygems-trust
havenwood has quit [Remote host closed the connection]
<dstufft> lol
<theartisan> -_-
<theartisan> sensitive much?
qmx is now known as qmx|away
billdingo is now known as billdingo-afk
billdingo-afk is now known as billdingo
havenwood has joined #rubygems-trust
havenwood has quit [Remote host closed the connection]
havenwood has joined #rubygems-trust
davidbalber|away is now known as davidbalbert
sferik has joined #rubygems-trust
workmad3 has quit [Ping timeout: 260 seconds]
billdingo is now known as billdingo-afk
havenwood has quit [Remote host closed the connection]
davidbalbert is now known as davidbalber|away
havenwood has joined #rubygems-trust
billdingo-afk is now known as billdingo
billdingo is now known as billdingo-afk
davidbalber|away is now known as davidbalbert
<tarcieri> _____ ____ ___ ____ _ __ ___ _ _
<tarcieri> | ___| _ \|_ _| _ \ / \\ \ / / | | |
<tarcieri> | |_ | |_) || || | | |/ _ \\ V /| | | |
<tarcieri> | _| | _ < | || |_| / ___ \| | |_|_|_|
<tarcieri> |_| |_| \_\___|____/_/ \_\_| (_|_|_)
<tarcieri>
davidbalbert is now known as davidbalber|away
davidbalber|away is now known as davidbalbert
<indirect> kseifried: "authors" = array of strings in gemspec
<indirect> kseifried: "owners" = has permission to push new versions to rubygems.org
<kseifried> yeah
<kseifried> drbrain, said only one owner per gem
<kseifried> but the web interface seems to indicate multiple is possible
<indirect> kseifried: maybe he meant creator?
<indirect> because the creator can add any number of people with push permission
<kseifried> I just read what I'm told
<indirect> and in fact, iirc, any owner once added can remove the original creator
<indirect> from the rg.org owner list
<raggi> indirect: bad news: i found a bundler bug. good news: you already fixed it :-)
<raggi> indirect: ^5
<indirect> raggi: ha
sferik has quit [Quit: ["Textual IRC Client: www.textualapp.com"]]
workmad3 has joined #rubygems-trust
workmad3 has quit [Ping timeout: 248 seconds]
<drbrain> kseifried: one owner is typical, but gems have multiple owners
<kseifried> ahh
workmad3 has joined #rubygems-trust
workmad3 has quit [Ping timeout: 245 seconds]
<alexspeller> Hi all, I'm looking at http://goo.gl/Aie6X because I'm getting the "you have no mapping" error, and I'm wondering (a) is this the current, correct way to do it, and (b) surely this should be automatic shouldn't it? I.e. `MyApp.Foo` should sideload as `foos` automatically, right?
<alexspeller> ^ Wrong room, sorry!
havenwood has quit [Remote host closed the connection]
havenwood has joined #rubygems-trust
davidbalbert is now known as davidbalber|away
workmad3 has joined #rubygems-trust
workmad3 has quit [Ping timeout: 260 seconds]
workmad3 has joined #rubygems-trust
davidbalber|away is now known as davidbalbert
workmad3 has quit [Ping timeout: 260 seconds]
davidbalbert is now known as davidbalber|away
davidbalber|away is now known as davidbalbert
davidbalbert is now known as davidbalber|away