The maintainers of RubyGems, the main package – or “gem” – repository for the Ruby programming language, are making the first steps towards enforcing multi-factor authentication for gem publishers. A post stated that “starting today (June 13, 2022), the maintainers of at least the top 100 RubyGems packages will begin to see warnings on the RubyGems command-line tool and website if MFA is not enabled on their accounts.” MFA will be enforced for those maintainers from August 15, and the requirement will later be extended to include more gems.
This process began in January with an RFC, which also reveals that the top 100 gems are those which exceed 180 million total downloads. The RFC also acknowledges that that “users may not recognize the risks associated with not enabling MFA and think this extra step to be burdensome on their workflow.” The team also considered gem signing, but ruled it out because it would impose a cost to developers but would not prevent account takeovers. The team is also unsure whether to enforce MFA on all publishers, or restrict it to those where downloads reach a certain threshold.
Another widely used repository is Python’s PyPi, where a researcher discovered three malicious packages late last year. The PyPi community is discussing MFA enforcement but, while it is agreed to be desirable, many issues have been raised including that “PyPI does not currently have a large support staff like npm/GitHub/Microsoft does. Account recovery requests due to lost 2FA are already a huge drain on staff/volunteer resources” according to one post. Progress towards better support for MFA is under way.
A 2020 security paper on the subject referenced by the RubyGems team highlighted numerous weaknesses in registries and package managers and recommended more use of automated package analysis, among other measures.
While matters are improving a little, the common workflow of simply installing dependencies via tools like gem, pip and npm is not safe or secure, and fixing this remains a task high on the agenda of the open source community and those who rely on it.