Phase 4: Rolling out to the General Public (Q4 2022 and beyond)

[rubyFeedback]

See here:

https://github.com/rubygems/rfcs/pull/36/files#diff-3d5cc3acc06fe7e9150fdbfc43399c5ad42572c122187774bfc3a4857df524f1R46-R67

Once the rollout of the top 100 most downloaded gems is successfully rolled out, a similar rollout will be done for more gems.
The details of this phase will be fleshed out in another RFC.

What is the response of rubygems.org maintainers to those who state that this will prevent them from maintaining their gems on rubygems.org?

[simi]

This is not decided yet. Initial idea was to require on MFA for everyone somehow. We will create RFC for this soon, feel free to share your ideas in there. Personally I would like to avoid MFA for simple/personal/testing stuff somehow to keep it simple. But we will need to find some way. Currently the solution would be to keep 2 accounts and prepare some limit for MFA requirement (like 10 000 downloads). 🤷

[qrush]

I'm nervous about this - especially since in the pre-rubygems.org days submitting a gem used to be through a (PHP) form with a ton of requirements to fill out. Maybe there could be a threshold of gems/versions pushed to require MFA? For example:

• after your 5th gem push, MFA must be on
• your first personal gem doesnt require MFA, but if any owners on an existing gem have MFA, all owners must have it to push

[simi]

Another quick idea is to scope MFA requirement to API key (instead of whole account). For your hobby gems you can use separated API token and (as mentioned) until you pass some limit, MFA is not going to be needed.

[flavorjones]

Just to help balance out the opinions being expressed here, I'd like to say that I'm strongly in favor of requiring MFA to publish gems that are widely used.

As a maintainer of more than one of the qualifying gems, I have been happy to change my workflow to accommodate this policy. Another affected maintainer, @tenderlove, took the time to automate his workflow with a yubikey and published a how-to for others to set it up.

I feel strongly that requiring MFA to publish commonly-used gems is a simple and effective "public health policy" that immunizes us from a frequently-attempted attack on the ecosystem. If there are features that need to be added to support your workflow, please share your experience with the rubygems maintainers! They have been consistently willing to engage with gem maintainers on how to make this policy less disruptful.