- picadione assumes he copied the AWS root password out of the RC-provided enterprise password manager / vault onto his own personally controlled password manager before he was locked out, which might be forgivable if it wasn't the root login for a major language's package registry
- really disappointing. it's such a huge security concern and privacy/ethical lapse, i am super disappointed in him, despite his contributions to the world of Ruby package management
he's now started a competing gem.coop package manager, and while they haven't released a privacy policy it does make me suspicious about how they were planning to fund it
no single person should have Github owner + AWS root password for a major language's package manager and ecosystem just sitting around on their laptop while they fly around to different conferences in Japan e.g. (as Andre did while hacking rubygem's AWS root account to show off)
- how can you trust gem.coop isn't already mining request logs + IPs to try and monetize lists of companies using specific packages & versions — besides the privacy/ethical concerns it is super useful data for hackers looking for vulnerable apps
no single person should have Github owner + AWS root password for a major language's package manager and ecosystem just sitting around on their laptop while they fly around to different conferences (as Andre seems to have done while showing off he still had the login to rubygem's AWS root account while in Japan)
- just because someone is a nice community member doesn't mean they deserve rewrite-the-commit history admin level access to rubygems and bundler. they can be great committers even without the ego boost of knowing you hold the keys to get a ton of companies hacked without interference.
also, if you step back, Ruby's problem is it consists of a fading community of millenials and Gen Xers who first came to Rails when it was the best/coolest option. however with the majority of builders now turning to JS for web, Rust (and Go) for systems, and Python for ML, it doesn't have a use case anymore that can drive a community or any hope for growth in the future. so a "niche DSL" for legacy webapps and plugin systems is what's left IMO, but i'm sorry for being super frank about it
languages like this with a shrinking community and loose security policies pose around the centralized package management system pose high security risks to its users.
- i read the article, but didn't see anything damning about it. how big of a staff do you think a tiny 501c3 like RubyCentral is? RC shepherds a pretty small community around a niche DSL with a shoestring non-profit budget that mostly goes towards running conferences.. you can see their financial reports here https://projects.propublica.org/nonprofits/organizations/300...
expectations around "strategic planning" and "marketing/PR" are not realistic. You should just be glad these randos don't have admin access to the Github org anymore. Any one of them were huge targets for adversaries who want to ship malware in Rubygems, supply chain attacks are very real and having commit access directly to rubygems/bundler is too powerful for a rando.
my main takeaway from reading all this is why were so many assorted people given such high levels of access..