The MD5 & SAH256 hashes are posted on ruby-lang.org though.

OTOH, www.ruby-lang.org itself does not currently accept https requests.


On Sun, Feb 3, 2013 at 5:20 PM, Charlie Somerville <
charlie / charliesomerville.com> wrote:

> In light of the recent security issues with RubyGems, I think it would be
> a good idea to look at how Ruby itself is distributed.
>
> Currently the main place to download Ruby source distributions is
> http://ftp.ruby-lang.org/.
>
> These downloads are run over cleartext HTTP and are unauthenticated.
>
> SSL should be considered for this host so users downloading Ruby can have
> some assurance that the distribution has not been tampered with.
>
> I think eventually SSL should be mandatory, although I'm not sure if this
> would break software like RVM.
>
> Cheers,
>
> Charlie
>