Issue #9439 has been updated by Eric Hodel.


I'm not informed of the details of how TUF works, but the implementation in progress uses OpenSSL to verify metadata and packages, so Ruby will still require OpenSSL.

RubyGems already supports signing gems using OpenSSL, but there are numerous usability issues which have prevented this from becoming widely used.  GPG signing suffers from the same issues.  TUF is designed to avoid these issues which means RubyGems can provide usable security for users.

Even after TUF is deployed RubyGems will still need HTTPS for secure communication with legacy private repositories that haven't switched to using TUF.

I don't know how RubyGems can work without HTTPS connections for backwards compatibility.

http://theupdateframework.github.io has information on the TUF specification and reference implementation.  The rubygems-tuf mailing list is the place to ask questions about how TUF will work with RubyGems: https://groups.google.com/forum/#!forum/rubygems-tuf

----------------------------------------
Feature #9439: Remove OpenSSL from stdlib
https://bugs.ruby-lang.org/issues/9439#change-44521

* Author: Zachary Scott
* Status: Open
* Priority: Normal
* Assignee: 
* Category: lib
* Target version: current: 2.2.0
----------------------------------------
Regarding [ruby-core:59943], I agree with nobu that we should remove OpenSSL from ruby.

It's become too hard to maintain, and would better serve our users to encourage the use of a different implementation.

Another benefit of removing OpenSSL is the impact backport fixes have on the release management team.

Although I haven't yet determined the extent of work required to remove it (ie: tooling, tests, etc). We can discuss them here.



-- 
http://bugs.ruby-lang.org/