Issue #9439 has been updated by Rodrigo Rosenfeld Rosas.


 Em 22-01-2014 16:39, luislavena / gmail.com escreveu:
 > Issue #9439 has been updated by Luis Lavena.
 >
 >
 > Shyouhei Urabe wrote:
 >> Very true.  I have no idea on why RubyGems use https and not other tools.  Any pointers?
 > AFAIK is to avoid MITM attacks and such, since if signatures are also stored along packages, how can you verify that the packages are not altered?
 
 I've always been curious about that, specially because the introduction 
 of https://rubygems.org slowed down our deploys considerably and it's 
 way slower to run bundler over the https version when compared to the 
 regular http version.
 
 If the only concern is about MITM attacks and if the reason for the much 
 slower gems downloading is because they are being served through an 
 HTTPS connection, then it would probably be much faster if we only got 
 the list of gems signature over an HTTPS connection, That way we'd be 
 able to download the gems over regular http and then calculate the 
 checksum and verify against the list of checksums downloaded from the 
 secure connection. Or we could download the public key that signed all 
 gems (in the case rubygems.org itself signed all gems) from a secure 
 location (https) and perform all checks locally. Wouldn't that work and 
 be much faster than the current alternative?

----------------------------------------
Feature #9439: Remove OpenSSL from stdlib
https://bugs.ruby-lang.org/issues/9439#change-44522

* Author: Zachary Scott
* Status: Open
* Priority: Normal
* Assignee: 
* Category: lib
* Target version: current: 2.2.0
----------------------------------------
Regarding [ruby-core:59943], I agree with nobu that we should remove OpenSSL from ruby.

It's become too hard to maintain, and would better serve our users to encourage the use of a different implementation.

Another benefit of removing OpenSSL is the impact backport fixes have on the release management team.

Although I haven't yet determined the extent of work required to remove it (ie: tooling, tests, etc). We can discuss them here.



-- 
http://bugs.ruby-lang.org/