|
|
|
|
|
|
by sersi
2493 days ago
|
|
|
Yes, I agree, it's not only rubygems, npm had the same problem not so long ago and it is a general issue in all repos. One thing that would be inconvenient but would protect against that would be to have the api work as usual, but need to use MFA and login to the website to approve a new release (and have information there listing the ip and time of upload). That would only make sense for heavily used gems like this one but it seems that it would stop most issues? |
|
|
A less invasive control might be to notify all owners when a new version is pushed, so they would be aware of a risk, if they weren't expecting a new release. Not perfect, but something.