Home Explore Help
Sign In
rem
/
ruby-scaffold_gem
Watch 1
Star 0
Fork 0
Files Issues 0 Pull Requests 0
Tree: 0c5223b79c
Branches Tags
ruby-scaffol...
/
Security.md.erb

Security.md.erb 2.2 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172 
  1. # Security
    2. 

  2. 

  3. Security issues take precedence over bug fixes, and feature work.
    4. 

  4. Peer reviews, and security research, are also welcome to ensure nobody's
    5. 

  5. instance is ever compromised.
    6. 

  6. 

  7. 

  8. ## Where should I report security issues?
    9. 

  9. 

  10. Email directly `:TODO: at project dot org` with details, and
    11. 

  11. reproduction steps. Please allow 90-days, from when we first reply to
    12. 

  12. your report, before public disclosure. At that time you may add a copy of
    13. 

  13. your published findings in the `disclosed` directory to help update users
    14. 

  14. about new, or improved security measures.
    15. 

  15. 

  16. If you wish to be acknowledge below, mention it explicitly, and include
    17. 

  17. 

  18. - Your name or alias
    19. 

  19. - Report date. YYYY-MM-DD
    20. 

  20. - Bug reported. Name or one-line description.
    21. 

  21. - Main contact (optional)
    22. 

  22. 

  23. (Lack of a `disclosed` folder only means nothing has been reported)
    24. 

  24. 

  25. ## Configuration
    26. 

  26. 

  27. These are the PROJECT's default settings:
    28. 

  28. 

  29. :TODO:
    30. 

  30. 

  31. Depending on the user's threat model these may be tune:
    32. 

  32. 

  33. :TODO:
    34. 

  34. 

  35. ## Checksum
    36. 

  36. 

  37. Although it's possible to install gems with a trust policy, is not a
    38. 

  38. widely used feature. In practice, we'd have to allow installing gems
    39. 

  39. without a cert defeating the purpose of having a policy.
    40. 

  40. 

  41. Instead, we include the checksum of the released gems, as recommended on
    42. 

  42. [rubygems](https://guides.rubygems.org/security/#include-checksum-of-released-gems-in-your-repository).
    43. 

  43. To verify the gem before installing it
    44. 

  44. 

  45. ```terminal
    46. 

  46. $ gem fetch <%= @scaffold.gem_name %> -v <version>
    47. 

  47. $ ruby -rdigest/sha2 -e "puts Digest::SHA512.new.hexdigest(File.read('<%= @scaffold.gem_name %>-<version>.gem'))"
    48. 

  48. ```
    49. 

  49. 

  50. Compare it with the hash in `checksum/<%= @scaffold.gem_name %>-<version>.gem.sha512` to
    51. 

  51. verify the integrity of the fetched gem. If the checksum matches
    52. 

  52. 

  53. ```terminal
    54. 

  54. $ gem install <%= @scaffold.gem_name %> -v <version>
    55. 

  55. ```
    56. 

  56. 

  57. If you wish to audit the gem locally before installation
    58. 

  58. 

  59. ```sh
    60. 

  60. $ gem unpack <%= @scaffold.gem_name %> -v <version>
    61. 

  61. ```
    62. 

  62. 

  63. Verify the latest release's checksum before updating as well.
    64. 

  64. 

  65. ## Acknowledgments
    66. 

  66. 

  67. We would like to thank the following researchers:
    68. 

  68. 

  69. | YYYY-MM-DD | Description | Name/alias | email/profile |
    70. 

  70. |------------|-------------|------------|---------------|
    71. 

  71. |            |             |            |               |
    72. 

  72.