Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add MFA enforcement on popular gems blog post #121

Merged
merged 7 commits into from
Aug 16, 2022
Merged

Add MFA enforcement on popular gems blog post #121

Changes from 1 commit
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
91f3845
Add MFA requirement blog post
jenshenny Aug 2, 2022
c20e22e
Clarify restrictions on the web
jenshenny Aug 9, 2022
24135f8
Change doodle on MFA requirement announcement post to gem with thumbs up
jenshenny Aug 9, 2022
10c7b61
Link rfc issue on future rollouts
jenshenny Aug 9, 2022
6bd8cba
Link email for support requests
jenshenny Aug 9, 2022
5e60249
Add Oxford comma
bettymakes Aug 15, 2022
ea02b01
Define MFA at its first reference within the post
bettymakes Aug 15, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions _posts/2022-08-15-requiring-mfa-on-popular-gems.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
---
title: Requiring MFA on popular gem maintainers
layout: post
author: Jenny Shen
author_email: [email protected]
---
<p align="center">
<img src="/images/gem-with-mfa-flag-dropshadow.png" alt="Doodle of a RubyGem wearing an MFA hat, holding a flag with a checkmark" width="300"/>
</p>
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Used the same image as the last post. Do we want to change up the doodle this time around to keep it interesting?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you have time to update it, sure. Using the same if also fine.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bettymakes quickly stirred up another doodle 🚀 , replaced the OG doodle with that one.


Two months ago, we outlined our [commitment](https://blog.rubygems.org/2022/06/13/making-packages-more-secure.html) to making Ruby’s supply chain more secure. To combat account takeovers — the second most common software supply chain attack — we announced a policy to require MFA on at least the top-100 RubyGems packages.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should spell out "MFA" and define the acronym before using the acronym elsewhere.

Two months ago, we outlined our commitment to making Ruby’s supply chain more secure. To combat account takeovers — the second most common software supply chain attack — we announced a policy to require 👉 multi-factor authentication (MFA) 👈 on at least the top-100 RubyGems packages.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes agreed, great catch! 🚀


Today (August 15th, 2022), we will begin to enforce MFA on owners of gems with over 180 million total downloads. Users in this category who do not have MFA enabled on the `UI and API` or `UI and gem signin` level will not be able to access profile pages on the web, perform [privileged actions](https://guides.rubygems.org/mfa-requirement-opt-in/#privileged-operations) (i.e. push and yank gems, or add and remove gem owners) or sign in on the command line until they [configure MFA](https://guides.rubygems.org/setting-up-multifactor-authentication/).
jenshenny marked this conversation as resolved.
Show resolved Hide resolved

Maintainers of gems that surpass 165 million total downloads will continue to receive recommendation reminders on the UI and CLI until the gem reaches 180 million total downloads. At that point, MFA will be required.

This policy would bring us in line with the policies made by other package ecosystems. We have plans to increase MFA adoption on RubyGems, which will be announced in the near future. In addition, we are also currently working on adding support for [WebAuthn](https://webauthn.guide/). Maintainers would be able to use hardware tokens, biometric keys, and other WebAuthn-supported devices as their multi-factor device of choice.
jenshenny marked this conversation as resolved.
Show resolved Hide resolved

Be sure to stay tuned for updates! As always, if you have any feedback, questions or ideas on how to make RubyGems better and more secure, please contact us in the [Bundler Slack workspace](https://slack.bundler.io/) or open a [GitHub issue](https://github.com/rubygems/rubygems.org/issues).