1. 7

We should all be doing this.


  2. 2

    I asked Matz during a Q&A at RubyConf 2011 about signing gems. He said he thought it continues to be a good idea (signing gems had already been around for awhile), but he doubted the culture of signing would ever catch on….

    Perhaps we needed this kick in the pants.

    1. 1

      Hahaha very topical

      1. 1

        It’s not enough to just start signing our gems – if we want this to work, we need to build the infrastructure that will make using signature verification feasible:

        RubyGems version 0.8.11 and later supports adding cryptographic signatures to gems. […] Obviously, this RubyGems trust infrastructure doesn’t exist yet (I just wrote the patch, for cripes sake!). Also, in the “real world” issuers actually generate the child certificate from a certificate request, rather than sign an existing certificate. And our hypothetical infrastructure is missing a certificate revocation system. These are that can be fixed in the future…

        RubyGems 0.8.11 was released in 2005, and 8 years later most of us weren’t even aware that RubyGems could do this. This is a good idea, but it will require a major, concerted effort.