Add MFA enforcement on popular gems blog post #121
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| --- | ||
| title: Requiring MFA on popular gem maintainers | ||
| layout: post | ||
| author: Jenny Shen | ||
| author_email: [email protected] | ||
| --- | ||
| <p align="center"> | ||
| <img src="/images/gem-with-thumbs-up-mfa-dropshadow.png" alt="Doodle of a RubyGem wearing a MFA hat, giving a thumbs up" width="300"/> | ||
| </p> | ||
|
|
||
| Two months ago, we outlined our [commitment](https://blog.rubygems.org/2022/06/13/making-packages-more-secure.html) to making Ruby’s supply chain more secure. To combat account takeovers — the second most common software supply chain attack — we announced a policy to require MFA on at least the top-100 RubyGems packages. | ||
|
|
||
| Today (August 15th, 2022), we will begin to enforce MFA on owners of gems with over 180 million total downloads. Users in this category who do not have MFA enabled on the `UI and API` or `UI and gem signin` level will not be able to edit their profile on the web, perform [privileged actions](https://guides.rubygems.org/mfa-requirement-opt-in/#privileged-operations) (i.e. push and yank gems, or add and remove gem owners) or sign in on the command line until they [configure MFA](https://guides.rubygems.org/setting-up-multifactor-authentication/). | ||
|
There was a problem hiding this comment. Super tiny nit: It's just a stylistic choice. I prefer the Oxford comma. Its proper usage would be when there is a list of three or more things, which applies to this case. That said, with or without the comma, it's correct.
|
||
|
|
||
| Maintainers of gems that surpass 165 million total downloads will continue to receive recommendation reminders on the UI and CLI until the gem reaches 180 million total downloads. At that point, MFA will be required. | ||
|
|
||
| This policy would bring us in line with the policies made by other package ecosystems. We have plans to increase MFA adoption on RubyGems. If you have ideas on how future rollouts should be approached, join this [discussion](https://github.com/rubygems/rfcs/issues/42) in our RFC repository! | ||
|
|
||
| In addition, we are also currently working on adding support for [WebAuthn](https://webauthn.guide/). Maintainers would be able to use hardware tokens, biometric keys, and other WebAuthn-supported devices as their multi-factor device of choice. | ||
|
|
||
| Be sure to stay tuned for updates! As always, if you have any feedback, questions or ideas on how to make RubyGems better and more secure, please contact us in the [Bundler Slack workspace](https://slack.bundler.io/) or open a [GitHub issue](https://github.com/rubygems/rubygems.org/issues). If you require account assistance based on the changes rolled out today, please reach out to [[email protected]](mailto:[email protected]). | ||
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should spell out "MFA" and define the acronym before using the acronym elsewhere.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes agreed, great catch! 🚀