Comment Supply Chain Issue on Rails (Score 1) 36
We definitely have an open source supply chain issue to address. Code signing is no panacea in an environment of community contributors.
My co-worker Chris Choi just wrote on The Case for 2FA, Post Rest-client Gem CVE at https://rietta.com/blog/rest-c.... It includes an interview with Matt Manning, whose Rubygems account was compromised and used to push the malicious code to rest-client. At this point, the best we can hope is to get the word out to other popular Gem maintainers.