[raesene9]

It's not just rubygems that has this issue, it's all the other repos too, most of which (AFAIK) don't enforce 2FA

Also worth noting that whilst MFA helps, it's not a panacea as MFA isn't generally compatible with automated CI/CD processes, so API keys will still be required, and can be leaked/lost/stolen.

[andrewaylett]

How about a split, so releases can be uploaded by API key, but only published by someone using MFA?

[cooljacob204]

Why would a CI/CD need to permissions modify and commit code to a repo?

[raesene9]

Say your CI pipeline runs automated tests, builds the gem and pushes to Rubygems, it needs permissions to push to Rubygems.

So if an attacker compromises the API key used by that pipeline, they get the rights to push to Rubygems.

[enneff]

Actually publishing new versions seems like something that happens infrequently enough that it would be fine to require a manual auth to complete it. Given the potential risks it seems prudent.

[raesene9]

I'd expect that very much depends on the software in question. As one example that I'm aware of, gvisor from Google delivers nightly builds. So they're building and pushing every single day.

It'd depend on the individual software library and of course as a consumer of many libraries you generally will have limited or no visibility of the practices of all your dependencies.

[rubber_duck]

I don't think nightly builds are the same thing as releases - you can have CI publish a build but to create a versioned public release it should require manual auth.

[raesene9]

That's a view of course (although in the case of gVisor they don't actually do versioned build just nightlies) but here's a question.

As a consumer of software libraries, have you ever looked into the security practices of the library author before choosing whether to use it or not?

[adrianN]

Every single day doesn't sound too often to have someone press a physical button.

[zbentley]

Absolutely agree. One-click deploys are nice, but in some circumstances not worth the cost. The manual component can also be polished to the point where it's not that arduous (think github login with 2FA and clicking the "merge" button).

[fahrradflucht]

The argument for automated releases is always that it is quite easy to do silly mistakes like forgetting a build step while doing manual releases. This also happened to high profile npm packages in the past and people complained that there was no automation.

[psychrometer]

I think they are suggesting a mostly automated build process and then a manual entering of a the second factor OTP at the deploy stage. The entering of the 2FA isn't something that will be hard to easy to mess up and you still receive the benefits of automated builds for the most part.

[C4stor]

I doesn't seem hard to imagine a CI pipeline that sends an email/sms for validation and waits an affirmative answer before continuing. I have no idea how to receive texts on a server, but sending and receiving emails is super easy.

[sersi]

Yes, I agree, it's not only rubygems, npm had the same problem not so long ago and it is a general issue in all repos.

One thing that would be inconvenient but would protect against that would be to have the api work as usual, but need to use MFA and login to the website to approve a new release (and have information there listing the ip and time of upload). That would only make sense for heavily used gems like this one but it seems that it would stop most issues?

[raesene9]

It would help for sure, I'd guess the problem would be , will the maintainers of all these libraries be happy with the overhead that this would introduce.

A less invasive control might be to notify all owners when a new version is pushed, so they would be aware of a risk, if they weren't expecting a new release. Not perfect, but something.