We should all be doing this.
I asked Matz during a Q&A at RubyConf 2011 about signing gems. He said he thought it continues to be a good idea (signing gems had already been around for awhile), but he doubted the culture of signing would ever catch on….
Perhaps we needed this kick in the pants.
Hahaha very topical
It’s not enough to just start signing our gems – if we want this to work, we need to build the infrastructure that will make using signature verification feasible:
RubyGems version 0.8.11 and later supports adding cryptographic signatures to gems. […] Obviously, this RubyGems trust infrastructure doesn’t exist yet (I just wrote the patch, for cripes sake!). Also, in the “real world” issuers actually generate the child certificate from a certificate request, rather than sign an existing certificate. And our hypothetical infrastructure is missing a certificate revocation system. These are
that can be fixed in the future…
RubyGems 0.8.11 was released in 2005, and 8 years later most of us weren’t even aware that RubyGems could do this. This is a good idea, but it will require a major, concerted effort.