+1 for offering TLS/SSL for the downloads.

While publishing the hashes is a first step, as long as they are served
over plain
HTTP it wouldn't prevent any sophisticated attacker from
man-in-the-middling a different web page with forged hashes to the clients
(in
addition to forged download packages).

-Martin


2013/2/4 Marc-Andre Lafortune <ruby-core-mailing-list / marc-andre.ca>

> The MD5 & SAH256 hashes are posted on ruby-lang.org though.
>
> OTOH, www.ruby-lang.org itself does not currently accept https requests.
>
>
> On Sun, Feb 3, 2013 at 5:20 PM, Charlie Somerville <
> charlie / charliesomerville.com> wrote:
>
>> In light of the recent security issues with RubyGems, I think it would be
>> a good idea to look at how Ruby itself is distributed.
>>
>> Currently the main place to download Ruby source distributions is
>> http://ftp.ruby-lang.org/.
>>
>> These downloads are run over cleartext HTTP and are unauthenticated.
>>
>> SSL should be considered for this host so users downloading Ruby can have
>> some assurance that the distribution has not been tampered with.
>>
>> I think eventually SSL should be mandatory, although I'm not sure if this
>> would break software like RVM.
>>
>> Cheers,
>>
>> Charlie
>>
>
>