From: Martin Bosslet Date: 2011-10-26T09:53:00+09:00 Subject: [ruby-core:40389] [ruby-trunk - Feature #5481] Gemifying Ruby standard library Issue #5481 has been updated by Martin Bosslet. I really like the proposal. Just wanted to add one thought - if we add yet more power to the gem infrastructure, we should probably revisit the idea of offering code-signed gems. The theory exists [1], we could build on that. This might be slightly off-topic, so I apologize in advance, but I still feel it is relevant, especially when gemifying stdlib, please let me explain why. If the stdlib gets gemified we will have even more gem downloads than today. I'm not talking about the bundled gems that would be accessed locally when building Ruby for the first time (wrt to this proposal), rather about "updating" and adding gems to an existing installation. Updating will be a crucial task in production - people would certainly show interest in being able to stay up to date as fast as possible regarding security fixes, performance improvements etc. Currently, these gem downloads are entirely unprotected, so just imagine a production deployment that connects to the outside world using a company proxy. The guy operating the company proxy could have a lot of fun serving "customized" gems that do all sorts of evil - nobody would notice. Serving the gems over an non-secure channel is definitely a risk. This might not seem such a big deal at first glance, but just think about discussing your architecture with a bank or other high security environments. Those people constantly give us the "<> <>" talk, so I could very well imagine that this is an issue when it comes to adopting Ruby in these environments. These people are often very conservative in their views, and even if they are still coding VB 6 GUIs and have no idea what they are talking about, still (in my own experience) they will readily accept *signed* Java applets... That's why I think offering signed gems would be helpful in sending a signal to those "enterprisy" clients, if not only to take away their arguments. What we often find in these situations are SHA-1 checksums or similar features published on the download site. If the site is served over http this has effectively *zero* additional security. An attacker would simply man-in-the-middle the HTML of the site, too, handing you a different hash. In addition, even when sent over https, let's face it, nobody really compares these hashes manually. I see two relatively simple options for mitigation: either secure the transport channel on the transport layer using TLS or secure the payload itself and therefore sign the gem. I prefer the second solution because it "persists" the security of the gem, the signature is tightly coupled with the gem itself and persists once downloaded, so that for example local gem cache servers would still be an option (they wouldn't be in the TLS case, unless effectively re-signing the gems). Please note that a code signature will of course not guarantee that the code is free of bugs or not malicious. The only security it will provide is that one can be sure that the gem itself has not been modified after the holder of the code signing certificate applied the signature. Not more, not less. This narrows your trust decision down to asking yourself the question whether you want to trust the certificate holder to have validated the code to do what it is supposed to do. The person signing the gem is the last person who was able to alter the code. After applying the signature, the gem is effectively sealed. So you would have to base your trust on two things. Whether you trust this person to not have altered the code in malicious ways and whether you trust that person to have validated the code to ensure its proper functionality. Although far from perfect, in my eyes this is still a major improvement over having no guarantee at all. A problem with code signing gems is that nobody is to keen on buying a "real" code signing certificate to sign their code, but on the other hand nobody would be keen on trusting a self-signed certificate either. This is probably one of the major issues why code signing is a rarely used feature. Now since gems are stored in a centralized repository, a solution could be to not require the *authors* to sign a gem but to sign a gem on the RubyGems server immediately after uploading, using a certificate that is exclusively issued to RubyGems. Solving the problem of trusting one dedicated certificate is easy, there are several options that would still need to be discussed, but it is certainly doable. However, this would put the burden of managing this certificate and securing access to it on the shoulders of the RubyGems maintainers. I would also suggest to keep this entirely optional. To be honest, as with all things security, this will possibly affect usability, additional configuration will likely be necessary to use the feature. So you will have to assess your individual risks - you might very well come to the conclusion that a feature like this is overkill in your individual situation. You should of course still have the option to ignore this entirely, much like today. I talked briefly about the idea with Eric Hodel and Hiroshi Nakamura. Eric told me that similar ideas in this direction exist. I would really appreciate to hear opinions on this. If you feel that this would be indeed a good option, I would suggest to open a new issue for further discussion. [1] http://docs.rubygems.org/read/chapter/21 ---------------------------------------- Feature #5481: Gemifying Ruby standard library http://redmine.ruby-lang.org/issues/5481 Author: Hiroshi Nakamura Status: Open Priority: Normal Assignee: Category: lib Target version: 2.0 =begin Up-to-date summary of this proposal is at (()) == Motivation * ruby's release cycle is slow for some standard libraries; * ex. security fix for WEBrick, xmlrpc and Zlib. * ex. API iteration for net/http, OpenSSL, json, psych, RDoc, minitest and rake. * There's already the feature called 'default gems' in ruby and some stdlibs are already using it: * rake, rdoc, minitest, json, io-console, bigdecimal * And some gems are already doing out-of-band releases. * When releasing we should give independence equally to all stdlibs, but in a consistent and controllable way. == Proposal * Allow out-of-band stdlib releases. * We are not proposing changes to ruby's release management, the release manager would decide when they release ruby and stdlib. * Allow more stdlibs to be installed as a 'default gem' * Register these gems on RubyGems.org * Introduce a new mechanism: controlling supported ruby version so that we can avoid installing unexpected version of stdlib gems. For example, a WEBrick gem for ruby 2.0.1 (released from ruby_2_0_1 branch) should not be installed for ruby 2.0.0 (released from ruby_2_0_0 branch) unless we know it works for both 2.0.0 and 2.0.1. Note: * Moving stdlibs repository location is not a target of this proposal. The implementation details of stdlib gems should hide this from ruby committers. * ruby_1_9_3 is not a target of this proposal. The change should be introduced from 2.0.0 release. ...Some more details of the proposal and discussion topics are going to follow as comments. =end -- http://redmine.ruby-lang.org