The MD5 & SAH256 hashes are posted on ruby-lang.org though. OTOH, www.ruby-lang.org itself does not currently accept https requests. On Sun, Feb 3, 2013 at 5:20 PM, Charlie Somerville < charlie / charliesomerville.com> wrote: > In light of the recent security issues with RubyGems, I think it would be > a good idea to look at how Ruby itself is distributed. > > Currently the main place to download Ruby source distributions is > http://ftp.ruby-lang.org/. > > These downloads are run over cleartext HTTP and are unauthenticated. > > SSL should be considered for this host so users downloading Ruby can have > some assurance that the distribution has not been tampered with. > > I think eventually SSL should be mandatory, although I'm not sure if this > would break software like RVM. > > Cheers, > > Charlie >