Skip to content

Latest commit

 

History

History
66 lines (52 loc) · 2.38 KB

File metadata and controls

66 lines (52 loc) · 2.38 KB

Phase 3: Key Server and Full Compatibility

Overview

This phase completes the server by adding the key server for cryptographic validation and ensuring full backward compatibility with RubyGems. It integrates signing, key management, and mirroring to support the existing gem ecosystem.

Objectives

  • Implement key server with public key management and revocation.
  • Enforce signing for gem pushes.
  • Add mirroring from rubygems.org for unsigned gems.
  • Provide full API compatibility with RubyGems.

Steps

1. Key Server Implementation

  • Create Key model for storing public keys (Ed25519, RSA, etc.).
  • Add endpoints: GET /keys/{owner}, POST /keys/validate, POST /keys/revoke.
  • Support revocation lists and propagation via federation.
  • Integrate with owner authentication.

2. Gem Signing and Validation

  • Require signatures for gem pushes (first push and updates).
  • Validate signatures on push using owner's public key.
  • Store signature metadata with gems.
  • Reject unsigned or invalidly signed gems.

3. Backward Compatibility APIs

  • Implement standard RubyGems endpoints: /gems, /api/v1/gems, etc.
  • Map null scope to root namespace.
  • Support legacy gem pulls without scopes.

4. Mirroring Unsigned Gems

  • Add mirroring logic to sync gems from rubygems.org.
  • Endpoint: POST /admin/mirror to trigger sync.
  • Store mirrored gems in null scope.
  • Handle version conflicts and updates.

5. Migration Tools

  • Provide scripts/tools to migrate existing gems into scopes.
  • Support bulk operations for owners and permissions.

6. Enhanced Security and Scalability

  • Upgrade to distributed storage if needed (e.g., for keys and gems).
  • Add rate limiting, DDoS protection.
  • Full HTTPS enforcement.

7. Comprehensive Testing

  • End-to-end tests with RubyGems client.
  • Test signing, key revocation, mirroring.
  • Performance tests for large-scale operations.

8. Final Documentation and Deployment

  • Complete API specs and federation protocol docs.
  • Deployment guides for production.
  • Update README with full feature set.

Deliverables

  • Fully functional federated gem server with key management.
  • Compatible with RubyGems ecosystem.
  • Production-ready with tests and docs.

Risks

  • Compatibility issues with RubyGems; mitigate with extensive testing.
  • Key security; use best practices for storage and revocation.

Completion

  • Server ready for deployment and adoption.