09:23 <yorickpeterse> http://blog.meldium.com/home/2013/3/3/signed-rubygems-part hm interesting

09:25 <yorickpeterse> So what's the status of the whole debate? I've been out for a bit but it seems no real progress has been made

10:58 <theartisan> yorickpeterse: http://goo.gl/ybFIO

10:59 <yorickpeterse> Is that the Rubygems requirements doc? I read that like 2 weeks ago

10:59 <yorickpeterse> Yeah seems so

10:59 <theartisan> yeah, and raggi is looking into https://www.updateframework.com

10:59 <yorickpeterse> So with Bundler adopting signing, wouldn't it be easier to fix the current system?

11:00 <theartisan> im not sure where they are on that though.

11:00 <yorickpeterse> As in, encrypt stuff, unfuck it in the Gemspec and distribute it in an easier way

11:00 <yorickpeterse> (stuff being the keys)

11:41 <dstufft> MediumSecurity allows the use of unsigned gems, but if a gem is signed, it makes sure the signature is valid and also has a proper certificate chain. :V

11:43 <dstufft> yorickpeterse: gem signing is nice and all, but actually signing and verifying signatures isn't all that useful

11:43 <dstufft> Not unless it's backed by a sane trust model

11:44 <dstufft> And the UX on that bundler one is _horrible_

11:44 <dstufft> the vast bulk of people will not run even MediumSecurity becasue it's annoying

12:07 <yorickpeterse> dstufft: oh, very true

22:46 <yorickpeterse> HEY GAIS, I HAVE A GREAT IDEA

22:47 <yorickpeterse> LETS ENCRYPT GEMS USING MD5. THAT'S NOT A PROBLEM FOR INTERNAL STORAGE RIGHT? RIGHT?

22:47 <yorickpeterse> (yes caps are mandatory)