Joel Drapper

Ruby Central’s “security measures” leave front door wide open

After taking control of the RubyGems GitHub organisation and open source software packages on 18 September, Ruby Central published a statement that claimed this was all done in the name of security.

The statement said, “to strengthen supply chain security, we are taking important steps to ensure that administrative access to the RubyGems.org, RubyGems, and Bundler is securely managed.”

Then, in a video address released on 23 September, Shan Cureton reiterated, “with the departure of a lead maintainer [André Arko] and a transition of security engineer [Samuel Giddins], questions around administrative access to RubyGems, Bundler and RubyGems.org became urgent.”

She continued, “rather than leave critical infrastructure exposed, the Ruby Central board voted to temporarily remove certain administrative and commit privileges until agreements could be put in place.”

After the board vote, Marty Haught used his new GitHub owner privileges to remove several RubyGems open source maintainers from the organisation.

The front door

Despite locking RubyGems maintainers out of their own GitHub organisation in the name of security, Ruby Central in fact left André with access to critical production systems.

At the time of writing, André still has access to the RubyGems.org Service production systems including the production database and logs.

Below are screenshots from AWS that prove this access.

AWS Credentials

AWS Console

AWS Database

André is also the only person with owner privileges on the Ruby Central GitHub organisation.

Ruby Central Organisation Ownership

What does this mean?

I already challenged the claim that the takeover was necessary for security, explaining that having the ability to modify the open source code does not automatically mean having the ability to deploy it.

I also checked with several people who used to operate the RubyGems.org Service. They told me production deploys were already manual and it would simply be a case of updating the Shipit config if you wanted to prevent maintainers who weren’t employed by Ruby Central from deploying new code. A change that should take about 30 minutes.

But while access to open source code does not present a security risk, access to the production database does.

Perhaps Ruby Central didn’t really believe André was a threat. Perhaps they are just incompetent. Perhaps both.

André has disclosed his access to Ruby Central and now awaits their response.

Disclosure

I was employed by Shopify between 2017 and 2022.

Changelog

  • Removed mention of the fact that André also owns the Ruby Together GitHub organisation. It’s too confusing to explain why this is relevant — including details of the merger — and it’s not important to this story.