And gem/bundler warn if the signature is not present or invalid?
The problem seems to be that work on the trust infrastructure has been dormant since 2011. The basic signing functionality is in place[1], but it's not enforced and consequently nobody is using it.
I hope this event will remind the people in charge to finish what they started. Otherwise it's a matter of time until something Really Bad™ happens. The code underlying rubygems[.org] is the stuff nightmares are made of (Marshal...).
It is very possible that something Really Bad™ has already happened, and we don't know about it. If it were me, I wouldn't let it out that I had essentially an unlimited backdoor to every system that installs gems.
The problem seems to be that work on the trust infrastructure has been dormant since 2011. The basic signing functionality is in place[1], but it's not enforced and consequently nobody is using it.
I hope this event will remind the people in charge to finish what they started. Otherwise it's a matter of time until something Really Bad™ happens. The code underlying rubygems[.org] is the stuff nightmares are made of (Marshal...).
[1] http://docs.rubygems.org/read/chapter/21