> 
> There's unfortunately no security mechanism in RubyGems atm.; this is
> somewhat difficult due to RubyGems "distributed" nature, where the
> packaging work is pushed down to upstream developers, so even if gem
> signatures were implemented, building the web of trust could take some
> time.
> 

A good start would be working in signatures and letting people do with 
that whatever seems natural. For example, if I were to release a gem I'd 
like to sign it and provide my public key on the official project 
website, or the fingerprint of it which can be got from a public 
keyserver. That requires a manual check by the user to be of any use, 
but once the infrastructure is there other things can evolve, like some 
repositories would have an upload system where developers must sign the 
gem and they are allowed to upload with their signature for a set of 
packages. Packages can be uploaded by possibly more than one developer. 
The repository provides, along with the gems, a keyring of the public 
keys. The client downloads a package and checks its signature against 
that keyring. Or maybe the client doesn't even need to verify, because 
it's the upload process that really benefits from the security measures. 
(if someone can modify what gem you download they can probably modify 
what keyring you get... otoh if the keyring itself were signed by the 
repository ...)