The maintainers of RubyGems, the main package – or “gem” – repository for the Ruby programming language, are making the first steps towards enforcing multi-factor authentication for gem publishers. A post stated that “starting today (June 13, 2022), the maintainers of at least the top 100 RubyGems packages will begin to see warnings on the RubyGems command-line tool and website if MFA is not enabled on their accounts.” MFA will be enforced for those maintainers from August 15, and the requirement will later be extended to include more gems.
This process began in January with an RFC, which also reveals that the top 100 gems are those which exceed 180 million total downloads. The RFC also acknowledges that that “users may not recognize the risks associated with not enabling MFA and think this extra step to be burdensome on their workflow.” The team also considered gem signing, but ruled it out because it would impose a cost to developers but would not prevent account takeovers. The team is also unsure whether to enforce MFA on all publishers, or restrict it to those where downloads reach a certain threshold.
The RubyGems home page proudly states over 100 billion gem downloads. That figure looks large but it is dwarfed by npm, the JavaScript page registry, which sees over one billion downloads every day. Compromise of a popular package has huge potential for harm, particularly since the problem may be invisible to developers unless they take separate precautions to examine dependencies. Mandatory MFA was introduced on npm for its top 100 packages in February and for the top 500 in May this year. There is no quick fix though – just one month ago, a researcher demonstrated a potential compromise to an npm package via an expired domain.
Another widely used repository is Python’s PyPi, where a researcher discovered three malicious packages late last year. The PyPi community is discussing MFA enforcement but, while it is agreed to be desirable, many issues have been raised including that “PyPI does not currently have a large support staff like npm/GitHub/Microsoft does. Account recovery requests due to lost 2FA are already a huge drain on staff/volunteer resources” according to one post. Progress towards better support for MFA is under way.
A 2020 security paper on the subject referenced by the RubyGems team highlighted numerous weaknesses in registries and package managers and recommended more use of automated package analysis, among other measures.
While matters are improving a little, the common workflow of simply installing dependencies via tools like gem, pip and npm is not safe or secure, and fixing this remains a task high on the agenda of the open source community and those who rely on it.