Issue #9439 has been updated by Tony Arcieri.


Eric Hodel wrote:
> I'm not informed of the details of how TUF works, but the implementation in progress uses OpenSSL to verify metadata and packages, so Ruby will still require OpenSSL.

Yes, TUF uses the RSASSA PKCS#1v1.5 digital signature algorithm to verify package integrity, and uses the implementation in OpenSSL

----------------------------------------
Feature #9439: Remove OpenSSL from stdlib
https://bugs.ruby-lang.org/issues/9439#change-44550

* Author: Zachary Scott
* Status: Open
* Priority: Normal
* Assignee: 
* Category: lib
* Target version: current: 2.2.0
----------------------------------------
Regarding [ruby-core:59943], I agree with nobu that we should remove OpenSSL from ruby.

It's become too hard to maintain, and would better serve our users to encourage the use of a different implementation.

Another benefit of removing OpenSSL is the impact backport fixes have on the release management team.

Although I haven't yet determined the extent of work required to remove it (ie: tooling, tests, etc). We can discuss them here.



-- 
http://bugs.ruby-lang.org/