Em 22-01-2014 16:39, luislavena / gmail.com escreveu: > Issue #9439 has been updated by Luis Lavena. > > > Shyouhei Urabe wrote: >> Very true. I have no idea on why RubyGems use https and not other tools. Any pointers? > AFAIK is to avoid MITM attacks and such, since if signatures are also stored along packages, how can you verify that the packages are not altered? I've always been curious about that, specially because the introduction of https://rubygems.org slowed down our deploys considerably and it's way slower to run bundler over the https version when compared to the regular http version. If the only concern is about MITM attacks and if the reason for the much slower gems downloading is because they are being served through an HTTPS connection, then it would probably be much faster if we only got the list of gems signature over an HTTPS connection, That way we'd be able to download the gems over regular http and then calculate the checksum and verify against the list of checksums downloaded from the secure connection. Or we could download the public key that signed all gems (in the case rubygems.org itself signed all gems) from a secure location (https) and perform all checks locally. Wouldn't that work and be much faster than the current alternative?