RubyGems.org has added a new “maintainer” role that enables users to publish new versions of a gem. The gem hosting service lists 183,080 gems with more than 183 billion downloads. This new permission type is aimed at improving security for the 205,000+ gem owners and the service overall.
Historically, the responsibility of maintaining these gems has rested on individual developers or small teams, often juggling security patches alongside feature enhancements. While this model has fostered a vibrant and collaborative community, it has also introduced vulnerabilities, as inconsistent maintenance can lead to delayed security updates and potential exploitation.
“Until today, permissions on a gem were simply binary: either you were an owner on a gem, and you could do anything, or you were not an owner, and you could do nothing,” Ruby Central engineer Colby Swandale said. “In response to user requests, we have added a new option, the maintainer role.”
Owners vs. Maintainers on RubyGems.org#
The new Maintainers role is essentially limited to publishing new versions. On RubyGems.org, Owners and Maintainers now have distinct roles with varying levels of access and responsibilities:
- Owners have comprehensive administrative privileges. They can publish new gem versions, configure OpenID Connect (OIDC) and trusted publishing settings, add or remove other owners and maintainers, and manage gem adoptions. This role is essential for overseeing the overall management and security of the gem.
- Maintainers focus primarily on the development and upkeep of the gem. They are empowered to publish new versions, ensuring that the gem remains up-to-date and functional. However, maintainers do not have the authority to configure security settings, manage user roles, or handle gem adoptions.
RubyGems introduced support for Trusted Publishers as a security improvement in December 2023, inspired by PyPI. This is a more secure publishing method for gem owners that exchanges short-lived identity tokens between a trusted third-party service and RubyGems.org. Trusted Publishers eliminates the need to use username/password combinations or manually generated API tokens to authenticate when publishing a gem. Changing these settings is now restricted to Owner accounts.
“We’re adding the maintainer role primarily to improve security,” Swandale said. “As long as every user has owner permissions, gaining access any of those accounts is enough to fully take over a gem. Since not all users need the maximum permissions of an owner, the new role allows the defensive security strategy often called 'minimal permissions,’ where users are only given the permissions that they actually need to use, in order to reduce damage if an account is compromised.”
Swandale said RubyGems.org also has a long term plan to add organization accounts to the gem hosting service based on this underlying system that enables multiple permission types for gems. This new maintainer role is just the start for expanding the capabilities of gem management. Owners can now view and update permissions to give maintainers publishing rights without handing over full control of the owner account and security settings.