This phase completes the server by adding the key server for cryptographic validation and ensuring full backward compatibility with RubyGems. It integrates signing, key management, and mirroring to support the existing gem ecosystem.
- Implement key server with public key management and revocation.
- Enforce signing for gem pushes.
- Add mirroring from rubygems.org for unsigned gems.
- Provide full API compatibility with RubyGems.
- Create Key model for storing public keys (Ed25519, RSA, etc.).
- Add endpoints:
GET /keys/{owner},POST /keys/validate,POST /keys/revoke. - Support revocation lists and propagation via federation.
- Integrate with owner authentication.
- Require signatures for gem pushes (first push and updates).
- Validate signatures on push using owner's public key.
- Store signature metadata with gems.
- Reject unsigned or invalidly signed gems.
- Implement standard RubyGems endpoints:
/gems,/api/v1/gems, etc. - Map null scope to root namespace.
- Support legacy gem pulls without scopes.
- Add mirroring logic to sync gems from rubygems.org.
- Endpoint:
POST /admin/mirrorto trigger sync. - Store mirrored gems in null scope.
- Handle version conflicts and updates.
- Provide scripts/tools to migrate existing gems into scopes.
- Support bulk operations for owners and permissions.
- Upgrade to distributed storage if needed (e.g., for keys and gems).
- Add rate limiting, DDoS protection.
- Full HTTPS enforcement.
- End-to-end tests with RubyGems client.
- Test signing, key revocation, mirroring.
- Performance tests for large-scale operations.
- Complete API specs and federation protocol docs.
- Deployment guides for production.
- Update README with full feature set.
- Fully functional federated gem server with key management.
- Compatible with RubyGems ecosystem.
- Production-ready with tests and docs.
- Compatibility issues with RubyGems; mitigate with extensive testing.
- Key security; use best practices for storage and revocation.
- Server ready for deployment and adoption.