From cde073746b7fdb13f96d51609d7d17ba3b99570d Mon Sep 17 00:00:00 2001 From: Jenny Shen Date: Wed, 6 Dec 2023 11:43:24 -0500 Subject: [PATCH] Update mfa requirement docs Currently the docs outline that the rubygems_mfa_required will require owners to enter an OTP for all privileged operations. In actuality, rubygems_mfa_required will require owners to have just to have MFA enabled (and not specifically at the ui_and_api level). --- mfa-requirement-opt-in.md | 18 +++--------------- 1 file changed, 3 insertions(+), 15 deletions(-) diff --git a/mfa-requirement-opt-in.md b/mfa-requirement-opt-in.md index b9d319d..d6f2eea 100644 --- a/mfa-requirement-opt-in.md +++ b/mfa-requirement-opt-in.md @@ -7,8 +7,7 @@ next: /using-s3-source --- How to opt-in for MFA requirement. -You can make your gems more secure by requiring that all privileged -operations by any of the owners require OTP. +You can make your gems more secure by requiring all owners to enable MFA on their account. ## Opt-in to MFA requirement @@ -22,8 +21,8 @@ You can opt-in a gem you are managing by releasing a version that has ... end -The version being released with `rubygems_mfa_required` set and all the following version -will require that you provide an OTP for all privileged operations. +The version being released with `rubygems_mfa_required` set and all the following versions +will require you to have MFA enabled. Once enabled, the gem page will show `NEW VERSIONS REQUIRE MFA` in the sidebar, and all versions published with `rubygems_mfa_required` set will also show `VERSION PUBLISHED WITH MFA`: ![MFA status indicators](/images/mfa-required-since.png){:class="t-img t-img--small"} @@ -34,17 +33,6 @@ a new version for a gem that requires MFA: Pushing gem to https://rubygems.org... Rubygem requires owners to enable MFA. You must enable MFA before pushing new version. - -## privileged operations - -Following operations will require OTP verification if you have MFA requirement -set on the gem. - -- `gem push` -- `gem yank` -- `gem owner --add/remove` -- **adding or removing owners using gem ownership page** - ## Disabling MFA requirement You can disable the MFA requirement by setting `rubygems_mfa_required` to `"false"` or any [`ActiveRecord::Type::Boolean::FALSE_VALUES`](https://api.rubyonrails.org/classes/ActiveModel/Type/Boolean.html).