top | item 45532496

(no title)

rgreeko42 | 4 months ago

So is this a smear of Arko (and by extension Ruby Gems' sloppy security) but dressed up like a Security disclosure?

If I'm reading it right, it seems quite petty (and a bit cowardly). Arko was a maintainer was he not? How is that a breach? Presumably his credentials were not misbegotten, or is that the accusation?

discuss

fatbird|4 months ago

After Arko's direct access was revoked, Arko retained access via possession of the root password (which RC should have rotated at the same time). Arko then changed the root password, locking RC out of their AWS account, waited a couple weeks, and then Joel Drapper blogged about the situation with proof that the now-fired Arko controlled the account, in order to make RC look bad.

picadi|4 months ago

one assumes he copied the AWS root password out of the RC-provided enterprise password manager / vault onto his own personally controlled password manager before he was locked out, which might be forgivable if it wasn't the root login for a major language's package registry

PapaPalpatine|4 months ago

It’s only a smear if all of the public comments thus far against Shopify and Ruby Central are also smears.