-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add MFA enforcement on popular gems blog post #121
Conversation
<p align="center"> | ||
<img src="/images/gem-with-mfa-flag-dropshadow.png" alt="Doodle of a RubyGem wearing an MFA hat, holding a flag with a checkmark" width="300"/> | ||
</p> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Used the same image as the last post. Do we want to change up the doodle this time around to keep it interesting?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you have time to update it, sure. Using the same if also fine.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@bettymakes quickly stirred up another doodle 🚀 , replaced the OG doodle with that one.
<p align="center"> | ||
<img src="/images/gem-with-mfa-flag-dropshadow.png" alt="Doodle of a RubyGem wearing an MFA hat, holding a flag with a checkmark" width="300"/> | ||
</p> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you have time to update it, sure. Using the same if also fine.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
✅ This looks great Jenny! Thanks for working on it. I have two small comments, one is purely a stylistic choice.
|
||
Two months ago, we outlined our [commitment](https://blog.rubygems.org/2022/06/13/making-packages-more-secure.html) to making Ruby’s supply chain more secure. To combat account takeovers — the second most common software supply chain attack — we announced a policy to require MFA on at least the top-100 RubyGems packages. | ||
|
||
Today (August 15th, 2022), we will begin to enforce MFA on owners of gems with over 180 million total downloads. Users in this category who do not have MFA enabled on the `UI and API` or `UI and gem signin` level will not be able to edit their profile on the web, perform [privileged actions](https://guides.rubygems.org/mfa-requirement-opt-in/#privileged-operations) (i.e. push and yank gems, or add and remove gem owners) or sign in on the command line until they [configure MFA](https://guides.rubygems.org/setting-up-multifactor-authentication/). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Super tiny nit: It's just a stylistic choice. I prefer the Oxford comma. Its proper usage would be when there is a list of three or more things, which applies to this case.
That said, with or without the comma, it's correct.
Users in this category who do not have MFA enabled on the
UI and API
orUI and gem signin
level will not be able to edit their profile on the web, perform privileged actions (i.e. push and yank gems, or add and remove gem owners),👈 or sign in on the command line until they configure MFA.
<img src="/images/gem-with-thumbs-up-mfa-dropshadow.png" alt="Doodle of a RubyGem wearing a MFA hat, giving a thumbs up" width="300"/> | ||
</p> | ||
|
||
Two months ago, we outlined our [commitment](https://blog.rubygems.org/2022/06/13/making-packages-more-secure.html) to making Ruby’s supply chain more secure. To combat account takeovers — the second most common software supply chain attack — we announced a policy to require MFA on at least the top-100 RubyGems packages. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should spell out "MFA" and define the acronym before using the acronym elsewhere.
Two months ago, we outlined our commitment to making Ruby’s supply chain more secure. To combat account takeovers — the second most common software supply chain attack — we announced a policy to require 👉 multi-factor authentication (MFA) 👈 on at least the top-100 RubyGems packages.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes agreed, great catch! 🚀
Looking good, thanks all. |
Part of rubygems/rubygems.org#3163
Following up from the Phase 2 blog post: #110
This post will announce the MFA enforcement policy to the community. Some key points that are addressed