undefined | Better HN

0 pointssersi6y ago0 comments

Yes, I agree, it's not only rubygems, npm had the same problem not so long ago and it is a general issue in all repos.

One thing that would be inconvenient but would protect against that would be to have the api work as usual, but need to use MFA and login to the website to approve a new release (and have information there listing the ip and time of upload). That would only make sense for heavily used gems like this one but it seems that it would stop most issues?

0 comments

raesene96y ago

It would help for sure, I'd guess the problem would be , will the maintainers of all these libraries be happy with the overhead that this would introduce.

A less invasive control might be to notify all owners when a new version is pushed, so they would be aware of a risk, if they weren't expecting a new release. Not perfect, but something.

j / k navigate · click thread line to collapse

0 pointssersi6y ago0 comments

Yes, I agree, it's not only rubygems, npm had the same problem not so long ago and it is a general issue in all repos.

0 comments

raesene96y ago

It would help for sure, I'd guess the problem would be , will the maintainers of all these libraries be happy with the overhead that this would introduce.

A less invasive control might be to notify all owners when a new version is pushed, so they would be aware of a risk, if they weren't expecting a new release. Not perfect, but something.

j / k navigate · click thread line to collapse