Rubygems.org: Make 2FA mandatory for everyone who wants to publish gems to rubygems.org

We already provide the 2FA for publishing gem.

https://guides.rubygems.org/setting-up-multifactor-authentication/

Yeah I know, but this was also not my question :)

My suggestion was to make it mandatory for everyone who wants to publish to rubygems.org, to make it harder that these problems occur.

see https://github.com/rubygems/rubygems.org/issues/2101#issuecomment-523237721

There is no plan to enforce 2FA for everyone yet.

Mandatory 2FA would also mean that I could no longer publish updates to any of my gems. I could explain why but it would take too long - suffice to say that this would mean that I would then become inactive on rubygems.org. The awkward thing would then be that I could continue to publish code at github, right? So this would be an awkward situation, so I am totally against making this mandatory.

What I think may be useful is to add a reputation system; and more fine-tuning control for ruby users, into "gem" directly, and also on rubygems.org, in the long run. For example, just one example: most of these trojaned gems have very few downloads. So we could add, to gem itself, a min-download query check. Something like for people to set:

"if this gem has fewer than 2000 downloads, do not allow any AUTOMATIC installation of it".

People may then be required to install it otherwise, or use a commandline flag instead to specifically bypass/ignore that additional new limitation. It is still a bit inconvenient but not necessarily as much as this suggestion to simply boot those who do not or can not use 2FA.