Issue #9439 has been updated by Shyouhei Urabe.


Luis Lavena wrote:
> Shyouhei Urabe wrote:
> > > All what gem need is the digital sigunature.
> > 
> > To be precise it only needs to verify signatures.  Signing itself can be done using other tools, like gpg(1).
> 
> That means gpg becomes an external dependency of the build/integration process.
> 
> gpg is not available in all the platforms.
> 
> There has been a bunch of research and investigation in relation to trusted RubyGems, I strongly recommend that is been analyzed prior the decision to remove such critical package like OpenSSL is made.

Very true.  I have no idea on why RubyGems use https and not other tools.  Any pointers?

----------------------------------------
Feature #9439: Remove OpenSSL from stdlib
https://bugs.ruby-lang.org/issues/9439#change-44517

* Author: Zachary Scott
* Status: Open
* Priority: Normal
* Assignee: 
* Category: lib
* Target version: current: 2.2.0
----------------------------------------
Regarding [ruby-core:59943], I agree with nobu that we should remove OpenSSL from ruby.

It's become too hard to maintain, and would better serve our users to encourage the use of a different implementation.

Another benefit of removing OpenSSL is the impact backport fixes have on the release management team.

Although I haven't yet determined the extent of work required to remove it (ie: tooling, tests, etc). We can discuss them here.



-- 
http://bugs.ruby-lang.org/