![]() ![]() As packages frequently depend on other packages, could some of these big (more than 180M downloads) packages depend on small (less than 180M downloads) packages? If this was the case, then there would be a small loophole: if a hacker wanted to maximize their reach in the Ruby ecosystem, they could target one of these small packages (which would get installed every time someone installed one of the big packages), circumventing the MFA protection of the big packages. This design decision led me to a curiosity. ![]() ![]() Gem 2 is over the 180M download threshold, so its owners would need MFA. Once a gem crosses 180 million downloads, its owners are required to use multi-factor authentication in the future. To meet those criteria, the team set a threshold of 180 million downloads for the gems instead. The team wanted to include at least the top 100 RubyGems packages, but also wanted to prevent packages (and people) from falling out of this cohort in the future. One interesting decision that the RubyGems team faced is determining who was included in the first milestone. The team’s mission is to increase the security of the Ruby software supply chain, so increasing MFA usage is something we wanted to help implement. ![]() The team I'm interning on, the Ruby Dependency Security team at Shopify, played a big part in rolling out MFA to RubyGems users. This means that users eventually will need to login with a one-time password from their authenticator device, which will drastically reduce account takeovers. In June of this year, RubyGems, the main repository for Ruby packages (gems), announced that multi-factor authentication (MFA) was going to be gradually rolled out to users. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |