Staff Software Engineer

Residency Update

Welcome to my update as Ruby Central’s security engineer in residence, sponsored by AWS.

My goal is to write a short update every week, chronicling what I’ve been working on, and reminding myself that I was, in fact, productive.

This week I attended RailsConf, and shipped a gem that makes setting up trusted publishing for an existing gem fit into a 5 minute lightning talk.


RubyGems Research

got andre to help me set up a new k8s cluster for rubygems research, also wiping the machine in the process

wrote up & executed on deploy steps

added a docker image workflow to the repo so it could be deployed in k8s

API Security

Refactored api key scopes to make it easier to introduce new scopes.

allowed users to create API keys with expiration dates

allow API keys that were created with an expiration under 15min to skip MFA – makes creating ephemeral API keys much more convenient, not losing any security since the user just MFA’d to create it

Trusted publishing

Added API for trusted publishing. Wrote rubygems plugin to use the API & set up trusted publishing for an existing gem.



Begin implementing dsse/in-toto support

needed to be able to verify sigstore bundles produced by github’s new attestation action

hacked on ruby/openssl support for difficult times