Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Opt-in for MFA requirement explicitly #91

Merged
merged 1 commit into from
May 15, 2024
Merged

Opt-in for MFA requirement explicitly #91

merged 1 commit into from
May 15, 2024

Conversation

tagliala
Copy link
Contributor

@tagliala tagliala commented May 12, 2024
edited
Loading

As a pupular gem, regexp_parser implicitly requires that all
privileged operations by any of the owners require OTP.

However, by explicitly setting rubygems_mfa_required metadata, the
gem will show "NEW VERSIONS REQUIRE MFA" and
"VERSION PUBLISHED WITH MFA" in the sidebar at
https://github.com/ammar/regexp_parser

Ref:

@jaynetics
Copy link
Collaborator

Thank you for the PR! However, this change is redundant as MFA has long been required for gems with a high number of downloads, and I'd rather not add code that has no effect.

@tagliala
Copy link
Contributor Author

tagliala commented May 13, 2024
edited
Loading

Hi,

thanks for your anwser

I know that it is required for gems with "a high number of downloads", however I've submitted the PR the same because it will explicitly add to rubygems "NEW VERSIONS REQUIRE MFA" and "VERSION PUBLISHED WITH MFA" fields.

I usually check all the libraries in our stack when there is an upgrade to confirm that it was pushed by a legit account

Ref: https://rubygems.org/gems/regexp_parser

This library

image

Rails

https://rubygems.org/gems/rails

image

@tagliala
Copy link
Contributor Author

I can edit the commit message because the first one is a copy & paste.

For this gem, it would more appropriate to add the fact that explicitly enabling mfa will show metadata information on rubygems

@tagliala tagliala marked this pull request as draft May 13, 2024 11:55
@tagliala
Opt-in for MFA requirement explicitly
50f6259 
As a pupular gem, `regexp_parser` implicitly requires that all
privileged operations by any of the owners require OTP.

However, by explicitly setting `rubygems_mfa_required` metadata, the
gem will show "NEW VERSIONS REQUIRE MFA" and
"VERSION PUBLISHED WITH MFA" in the sidebar at
https://github.com/ammar/regexp_parser

Ref:
- https://blog.rubygems.org/2022/08/15/requiring-mfa-on-popular-gems.html
- https://guides.rubygems.org/mfa-requirement-opt-in/
@tagliala tagliala force-pushed the security/opt-in-for-mfa branch from 4d588f9 to 50f6259 Compare May 13, 2024 13:03
@tagliala tagliala changed the title Opt-in for MFA requirement Opt-in for MFA requirement explicitly May 13, 2024
@tagliala
Copy link
Contributor Author

tagliala commented May 13, 2024
edited
Loading

Rebased and reworded, now it should be better

@tagliala tagliala marked this pull request as ready for review May 13, 2024 13:04
@mbj
Copy link

mbj commented May 13, 2024

Yeah so this is about making the MFA fact more "machine parsable" not so much about changing the fact MFA is required. I know / run corporate tools that scan for this signal. It makes regexp_parser more easy to integrate into a dependency tree.

All my popular gems are also under that explicit metadata signal BTW.

@jaynetics jaynetics merged commit 6ae8ad9 into ammar:master May 15, 2024
2 checks passed
@jaynetics
Copy link
Collaborator

That makes sense, thanks for the explanations. I've released v2.9.2 with this change.

@tagliala tagliala deleted the security/opt-in-for-mfa branch May 16, 2024 07:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tagliala @jaynetics @mbj