Reconcile RubyGems with GitHub Team privileges

[jrgriffiniii]

As discussed on the RubyGems documentation:

RubyGems has had the ability to cryptographically sign gems since version 0.8.11. This signing works by using the gem cert command to create a key pair, and then packaging signing data inside the gem itself. The gem install command optionally lets you set a security policy, and you can verify the signing key for a gem before you install it.

In order to define a policies for publishing Gems securely, I would please propose that the following criteria be met:

1. Gem publishers need be active members of the Samvera Community (members of the contributors Team on GitHub)
2. Gem publishers need select a single e-mail address for usage in Gem specifications (.gemspec files)
   1. An individual may have multiple e-mail addresses in different .gemspec files, each linked to past roles within different organizations (there are certainly cases where an individual may move between organizations or change roles while remaining active members of Samvera). In this case, I propose that there be a primary e-mail address reserved for Samvera contributions
3. Gem publishers need generate and manage their own self-signed Gem certificate using gem cert --build [email protected]
4. RubySec be referenced for any existing Gem vulnerabilities which may readily affect the release of a new Gem

[jrgriffiniii]

https://github.com/samvera/maintenance#updating-gem-ownership-permissions features the steps involved in ensuring that RubyGems ownership permissions are updated.

[jrgriffiniii]

https://github.com/samvera/maintenance/blob/main/script/grant_revoke_gem_authority.rb#L104 conditions upon the admin team membership to update RubyGems permissions.

[jrgriffiniii]

Realistically, I suspect that this is going to be blocked by #121

[jrgriffiniii]

#123 advances this to some extent, but I suspect that questions will still need to be posed to the Samvera Community in order to gauge how best to document RubyGems projects which are anomalies.