-
-
Save anonymous/d59e37e9fa07d1fbd4e7 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Proposal A: Keep It Simple Stupid And Start with Something (KISSASS) | |
1. Use current existing infrastructure, enforce signing. | |
Have rubygems.org reject gem-pushes that don't contain a signature. | |
2. Add a field in the gemspec 'public_key_https_url' that the author | |
must point to his public key. If he doesn't then boo, nobody will | |
be able to validate his gem. | |
3. When 'gem install' encounters an unknown key it displays the URL | |
and it is up to the user to say "Yes, I want to import this" or "No". | |
4. Deploy. Start thinking how to improve the solution. | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment