Issue #9439 has been updated by Sam Kottler.


Rodrigo Rosenfeld Rosas wrote:
> Em 22-01-2014 16:39, luislavena / gmail.com escreveu:
>  > Issue #9439 has been updated by Luis Lavena.
>  >
>  >
>  > Shyouhei Urabe wrote:
>  >> Very true.  I have no idea on why RubyGems use https and not other tools.  Any pointers?
>  > AFAIK is to avoid MITM attacks and such, since if signatures are also stored along packages, how can you verify that the packages are not altered?
>  
>  I've always been curious about that, specially because the introduction 
>  of https://rubygems.org slowed down our deploys considerably and it's 
>  way slower to run bundler over the https version when compared to the 
>  regular http version.
>  
>  If the only concern is about MITM attacks and if the reason for the much 
>  slower gems downloading is because they are being served through an 
>  HTTPS connection, then it would probably be much faster if we only got 
>  the list of gems signature over an HTTPS connection, That way we'd be 
>  able to download the gems over regular http and then calculate the 
>  checksum and verify against the list of checksums downloaded from the 
>  secure connection. Or we could download the public key that signed all 
>  gems (in the case rubygems.org itself signed all gems) from a secure 
>  location (https) and perform all checks locally. Wouldn't that work and 
>  be much faster than the current alternative?

I'm one of the maintainers of rubygems.org and bundler and haven't ever heard this complaint before. Can you email me with more info about your environment? https should not be notably slower than http. And yes, your solution works, but the problem is that we currently don't have a mechanism for matching checksums to binaries AFAIK. So while possible in the theoretical sense, it's not as straight forward as you make it seem.

----------------------------------------
Feature #9439: Remove OpenSSL from stdlib
https://bugs.ruby-lang.org/issues/9439#change-44524

* Author: Zachary Scott
* Status: Open
* Priority: Normal
* Assignee: 
* Category: lib
* Target version: current: 2.2.0
----------------------------------------
Regarding [ruby-core:59943], I agree with nobu that we should remove OpenSSL from ruby.

It's become too hard to maintain, and would better serve our users to encourage the use of a different implementation.

Another benefit of removing OpenSSL is the impact backport fixes have on the release management team.

Although I haven't yet determined the extent of work required to remove it (ie: tooling, tests, etc). We can discuss them here.



-- 
http://bugs.ruby-lang.org/