Issue #9439 has been updated by Luis Lavena.


Shyouhei Urabe wrote:
> 
> Very true.  I have no idea on why RubyGems use https and not other tools.  Any pointers?

AFAIK is to avoid MITM attacks and such, since if signatures are also stored along packages, how can you verify that the packages are not altered?

You will say why RubyGems don't use something else, well, why will you impose gpg to all the users using RubyGems, even when the tools is not available?

Back in november there was an initiative to implement TUF on top of RubyGems, please see the following link:

http://rubyforge.org/pipermail/rubygems-developers/2013-November/thread.html

More and better responses on this can be provided by Eric Hodel

But again, removal of OpenSSL is not the answer to what some core committers see as personal attacks around OpenSSL defaults.

----------------------------------------
Feature #9439: Remove OpenSSL from stdlib
https://bugs.ruby-lang.org/issues/9439#change-44518

* Author: Zachary Scott
* Status: Open
* Priority: Normal
* Assignee: 
* Category: lib
* Target version: current: 2.2.0
----------------------------------------
Regarding [ruby-core:59943], I agree with nobu that we should remove OpenSSL from ruby.

It's become too hard to maintain, and would better serve our users to encourage the use of a different implementation.

Another benefit of removing OpenSSL is the impact backport fixes have on the release management team.

Although I haven't yet determined the extent of work required to remove it (ie: tooling, tests, etc). We can discuss them here.



-- 
http://bugs.ruby-lang.org/