|
|
|
|
|
|
by decasia
290 days ago
|
|
|
About this, I noticed a relatively prominent gem maintainer publicly announcing his efforts to avoid rubygems security measures: > I'll try to get a unicorn 7.x release soon but tests take
forever to run on ancient HW and I need to ration releases to
keep download counts low in order to stay under the MFA
threshold on Rubygems.org > I don't ever want users viewing me as trustworthy nor liable for
anything I do, so no MFA nor sigs from me; just source + docs :> If I understand correctly - the idea is that the unicorn maintainer does not want to be viewed as trustworthy and is avoiding MFA and signatures because they could build trust that isn't, in this case, wanted. https://yhbt.net/unicorn-public/20231214230933.M299458@dcvr/ |
|
|
He has only contributed to Ruby via the ruby-core mailing list (he does not use the RubyMine interface which backs ruby-core) and the main Ruby git repo hosted by the Ruby team, never anything on GitHub.
I'm sort of surprised that the RubyGems MFA threshold hasn't been updated (it was 180M total downloads in 2022; my gems combined have > 2.5B downloads, so I was never not going to pass the threshold), but he's under 70M downloads shy and each release gets about 15M downloads or so.
I think that his position is irresponsible in today's threat environment, but given the amount of work that I'm doing for OSS maintenance that's just responding to bloody Dependabot updates…