Add "Protecting RubyGems.org from the outside in" post#257
Add "Protecting RubyGems.org from the outside in" post#257colby-swandale merged 2 commits intomasterfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Adds a new blog post describing recent RubyGems.org security hardening work, focusing on gem-push metadata validation changes and Have I Been Pwned password-compromise checks.
Changes:
- Introduces a new post covering gem package structure and push-time validation hardening.
- Documents the HIBP k-anonymity password checking approach used at login/registration/reset.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| We've been chipping away at that. Over the past few months, we shipped two changes that tighten [rubygems.org](https://rubygems.org)'s defences at very different layers: stronger validation of gem contents at push time, and integration with Have I Been Pwned to catch compromised passwords at login. | ||
|
|
||
| ## What [rubygems.org](https://rubygems.org) checks when you gem push |
There was a problem hiding this comment.
In this heading, "gem push" refers to the CLI command. Elsewhere in the blog the convention is to format commands with backticks (e.g., gem push), which also avoids reading "gem" as a verb here.
| ## What [rubygems.org](https://rubygems.org) checks when you gem push | |
| ## What [rubygems.org](https://rubygems.org) checks when you `gem push` |
| x checksums.yaml.gz | ||
| ``` | ||
|
|
||
| [rubygems.org](https://rubygems.org) closely inspects all 3 of these files when a gem is published, but the ones we're looking at are the `metadata` and `checksums.yaml`. |
There was a problem hiding this comment.
The tar listing above shows metadata.gz and checksums.yaml.gz, but this sentence refers to metadata and checksums.yaml. For accuracy (and to avoid confusing readers), consider referencing the actual file names (or explicitly noting the .gz wrappers).
| [rubygems.org](https://rubygems.org) closely inspects all 3 of these files when a gem is published, but the ones we're looking at are the `metadata` and `checksums.yaml`. | |
| [rubygems.org](https://rubygems.org) closely inspects all 3 of these files when a gem is published, but the ones we're looking at are `metadata.gz` and `checksums.yaml.gz`. |
|
|
||
| [rubygems.org](https://rubygems.org) closely inspects all 3 of these files when a gem is published, but the ones we're looking at are the `metadata` and `checksums.yaml`. | ||
|
|
||
| The `checksums.yaml` certifies the integrity hash of the `data.tar.gz` and `metadata.gz` with a sha256 after `gem build`. If someone tampers with the code directly, the checksums won't match and [rubygems.org](https://rubygems.org) rejects the push immediately. Checksums are the easy part. |
There was a problem hiding this comment.
"sha256" is typically written as "SHA-256" (or "SHA256") when referring to the algorithm name in prose. Consider updating the capitalization/formatting here.
| The `checksums.yaml` certifies the integrity hash of the `data.tar.gz` and `metadata.gz` with a sha256 after `gem build`. If someone tampers with the code directly, the checksums won't match and [rubygems.org](https://rubygems.org) rejects the push immediately. Checksums are the easy part. | |
| The `checksums.yaml` certifies the integrity hash of the `data.tar.gz` and `metadata.gz` with a SHA-256 hash after `gem build`. If someone tampers with the code directly, the checksums won't match and [rubygems.org](https://rubygems.org) rejects the push immediately. Checksums are the easy part. |
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
No description provided.