-
Notifications
You must be signed in to change notification settings - Fork 158
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Opt-in for MFA requirement #226
base: master
Are you sure you want to change the base?
Conversation
What's the up-side of increased security? I understand it potentially protects users against supply-chain attacks... but it requires me to provide additional private data (i.e., phone number), does it no? Will 2FA become a gem requirement at some point? The biggest question I have about this is that someone can push a version by simply removing the line from the |
Hi, A little bit of background. I'm proposing this change for some gems that I may use in my stack MFA is already been used by popular Ruby gems like rails, puma, nokogiri, dalli, and recently has been accepted by sidekiq There is also a RuboCop cop checking for the MFA in the gemfile: https://docs.rubocop.org/rubocop/cops_gemspec.html#gemspecrequiremfa
I'm using an authenticator app, no SMS involved. I've checked my profile at rubygems and there is no phone number field available. At the best of my knowledge, I did not provide them my phone number More information about rubygems and MFA at: https://guides.rubygems.org/setting-up-multifactor-authentication/
At the moment it is mandatory for top 100 gems and maintainers of popular gems https://blog.rubygems.org/2022/08/15/requiring-mfa-on-popular-gems.html
As per https://guides.rubygems.org/mfa-requirement-opt-in/ and https://guides.rubygems.org/mfa-requirement-opt-in/#disabling-mfa-requirement The version being released with rubygems_mfa_required set and all the following version will require that you provide an OTP for all privileged operations ... You can disable the MFA requirement by setting At the best of my understanding, |
Make the gem more secure by requiring that all privileged operations by any of the owners require OTP. Ref: https://guides.rubygems.org/mfa-requirement-opt-in/
b57209f
to
23e2f83
Compare
Hi, I noticed this project is seeking new maintainers. I'd like to express my interest in taking on a maintainer role. I have several contributions I'd like to make, including:
If added as a maintainer, I plan to modernize the codebase, which would include dropping support for EOL Ruby versions (pre-3.1). Before proceeding with any merges, I wanted to confirm if you're open to adding me as a maintainer. I can't guarantee long-term commitment on bug fixing, but we would like to avoid a fork |
Make the gem more secure by requiring that all privileged operations by any of the owners require OTP.
Ref: https://guides.rubygems.org/mfa-requirement-opt-in/
I've seen that there is not a clear preference of
"
above'
, so I'm using'