Issue #9439 has been updated by Shyouhei Urabe.


Sam Kottler wrote:
> Shyouhei Urabe wrote:
> > > All what gem need is the digital sigunature.
> > 
> > To be precise it only needs to verify signatures.  Signing itself can be done using other tools, like gpg(1).
> 
> Not really. GPG implementations are platform specific and require a higher level of end-user involvement than just plain SSL. Additionally, we need a way to handle secure public-key delivery and SSL is simply the most simple, and bulletproof way to do that.

RubyGems can include its public key in its canonical distribution.
Regardless of their doing so or not, never use a ruby source code
that you cannot trust.  Including public key(s) in distribution is
not a practically complicated thing to do.
Of course, RubyGems itself might have to be downloaded using https.
but that can be done without ruby's supporting OpenSSL.

----------------------------------------
Feature #9439: Remove OpenSSL from stdlib
https://bugs.ruby-lang.org/issues/9439#change-44527

* Author: Zachary Scott
* Status: Open
* Priority: Normal
* Assignee: 
* Category: lib
* Target version: current: 2.2.0
----------------------------------------
Regarding [ruby-core:59943], I agree with nobu that we should remove OpenSSL from ruby.

It's become too hard to maintain, and would better serve our users to encourage the use of a different implementation.

Another benefit of removing OpenSSL is the impact backport fixes have on the release management team.

Although I haven't yet determined the extent of work required to remove it (ie: tooling, tests, etc). We can discuss them here.



-- 
http://bugs.ruby-lang.org/