RubyGems enabled multi-factor authentication (MFA) for some of its largest publishers. The package manager has started alerting the maintainers of gems with more than 165 million downloads via the RubyGems command-line tool and website, recommending that they enable MFA on their accounts.
If not enabled, MFA will be enforced on these 100-odd accounts on August 15. It’s been planned to roll out MFA other than the top maintainers account in the coming months.
The second-most common attack on software today is supply chain attacks stemming from account access being hacked or leaked. RubyGems has been affected by supply chain attacks in the past.
The new requirement follows a similar move from GitHub, which last month announced that two-factor authentication (2FA) would be made mandatory for all code contributors by the end of next year.
NPM, too, has been working to enforce 2FA, initially for its top 100 Node.js package maintainers, but with a broader rollout already underway.
We are aware of other ecosystems that plan to announce similar policies in the future – we don’t say who, as they are not ready to announce yet.
However, some believe these moves do not go far enough. This does nothing to protect the integrity of the authorship of the source code. Finally, they should be requiring phishing-resistant MFA along with source code signing that is linked to the developer identity.