Em 22-01-2014 16:39, luislavena / gmail.com escreveu:
> Issue #9439 has been updated by Luis Lavena.
>
>
> Shyouhei Urabe wrote:
>> Very true.  I have no idea on why RubyGems use https and not other tools.  Any pointers?
> AFAIK is to avoid MITM attacks and such, since if signatures are also stored along packages, how can you verify that the packages are not altered?

I've always been curious about that, specially because the introduction 
of https://rubygems.org slowed down our deploys considerably and it's 
way slower to run bundler over the https version when compared to the 
regular http version.

If the only concern is about MITM attacks and if the reason for the much 
slower gems downloading is because they are being served through an 
HTTPS connection, then it would probably be much faster if we only got 
the list of gems signature over an HTTPS connection, That way we'd be 
able to download the gems over regular http and then calculate the 
checksum and verify against the list of checksums downloaded from the 
secure connection. Or we could download the public key that signed all 
gems (in the case rubygems.org itself signed all gems) from a secure 
location (https) and perform all checks locally. Wouldn't that work and 
be much faster than the current alternative?