[codebeaker]

As part of a team of maintainers of a popular (declining) gem, shame they don't make a mention of the extremely valid "gem is owned by a team, and anyone may push" model. I regret that the MFA token for many gems such as this may end-up in 1Password or similar, shared, along side the other credentials, rather than on a separate device or similar.

[msbarnett]

Gems can have multiple accounts able to push, and MFA tokens are per-account, not per-gem. So what's the issue exactly?

[jacques_chester]

In fact, you can now scope API tokens per-gem as well: https://github.com/rubygems/rubygems.org/pull/2944

[tessierashpool]

seems like the post you're replying to had already answered your question, in its second sentence:

> I regret that the MFA token for many gems such as this may end-up in 1Password or similar, shared, along side the other credentials, rather than on a separate device or similar.

[msbarnett]

Still not following.

"> I regret that the MFA token for many gems such as this may end-up in 1Password or similar, shared, along side the other credentials, rather than on a separate device or similar."

Emphasis mine. How does "the extremely valid "gem is owned by a team, and anyone may push" model" impact this in any way? Why would the MFA tokens need to be shared via 1Password if they are specific to an individual account?

Unless you're sharing the username/password for a master account between everyone with push access to the gem (which, I checked, Capistrano thankfully doesn't appear to be doing), there's no reason whatsover to share the MFA token, so it could happily exist on a separate device. And if you are sharing one username/password between everybody – don't do that. You don't need to do that to accomplish "the extremely valid "gem is owned by a team, and anyone may push" model". That's just a really stupid way to do anything.

GP seems to be thinking that everyone with push rights needs to share the same token, but that's simply incorrect.

[kyrofa]

As others have mentioned, such gems should have shared maintainership across multiple accounts (each with their own creds and MFA) as opposed to shared creds and MFA.

[eropple]

I'm having trouble parsing your post. You can add multiple owners to a gem. You can also disable 2FA for API access on a per-account basis (though it isn't recommended) for a CI runner--which, tbh, is how a popular gem should be being published. What's the objection here?