Make 2FA mandatory for everyone who wants to publish gems to rubygems.org

[h0jeZvgoxFepBQ2C]

I'm would like to suggest a feature.

My current problem is a not security oriented gem publishing process.

This issue is related to:

• Network problems
• Installing a library
• Publishing a library
• The command line gem
• Other

After seeing the recent hacked and published gems on rubygems.org, I highly recommend to make 2FA mandatory before publishing to rubygems.org.

Any thoughts about this?

See the news:

• https://github.com/rubygems/rubygems.org/wiki/Gems-yanked-and-accounts-locked
• [CVE-2019-15224] Version 1.6.13 published with malicious backdoor. rest-client/rest-client#713
• https://www.theregister.co.uk/2019/08/20/ruby_gem_hacked/
• https://news.ycombinator.com/item?id=19569959

I will abide by the code of conduct.

[hsbt]

We already provide the 2FA for publishing gem.

https://guides.rubygems.org/setting-up-multifactor-authentication/

[h0jeZvgoxFepBQ2C]

Yeah I know, but this was also not my question :)

My suggestion was to make it mandatory for everyone who wants to publish to rubygems.org, to make it harder that these problems occur.

[hsbt]

see #2101 (comment)

There is no plan to enforce 2FA for everyone yet.

[rubyFeedback]

Mandatory 2FA would also mean that I could no longer publish updates to any of my gems. I could explain why but it would take too long - suffice to say that this would mean that I would then become inactive on rubygems.org. The awkward thing would then be that I could continue to publish code at github, right? So this would be an awkward situation, so I am totally against making this mandatory.

What I think may be useful is to add a reputation system; and more fine-tuning control for ruby users, into "gem" directly, and also on rubygems.org, in the long run. For example, just one example: most of these trojaned gems have very few downloads. So we could add, to gem itself, a min-download query check. Something like for people to set:

"if this gem has fewer than 2000 downloads, do not allow any AUTOMATIC installation of it".

People may then be required to install it otherwise, or use a commandline flag instead to specifically bypass/ignore that additional new limitation. It is still a bit inconvenient but not necessarily as much as this suggestion to simply boot those who do not or can not use 2FA.

[olivierlacan]

As supply-chain attacks increase this policy needs to change and it needs to change quickly. See GitHub's announcement about enforcing 2FA on the top 500 npm packages as an example of the correct way to start rolling this out.

We need to do the same.

[flavorjones]

@olivierlacan Please see rubygems/rfcs#36 for the approved plan to roll out MFA, and rubygems/rubygems.github.io#110 for some indication of current status. (I'll leave it to one of the people contributing to that effort to offer more details.)

[olivierlacan]

Sincere apologies @flavorjones and @hsbt i completely forgot this plan was announced yesterday.