Issue #9439 has been updated by Yusuke Endoh.


Shyouhei Urabe wrote:
> OpenSSL seemd easy to support at first.  We were only needed to
> wrap the C library with Ruby and that's it.  Now, things gets more
> complicated.  People requests us to keep being MORE SECURE THAN
> the OpenSSL itself.  That costs us very much.  I studied this topic
> these days very much and still have no idea how to actually absuse
> CRIME to get any uncrypted data.  It's as clear as sky that I cannot
> be more secure than the default without actually understand
> its backgrounds; I lack knowledge, or experience, or maybe both.


Fully agreed.  That said, I'm not positive for the proposal as long as Martin Bosslet is willing to maintain the library.


Off-topic: A bigger problem is "kind" people.  In an extreme case, we can ignore those who just require something.  But it is far more difficult to ignore those who kindly say "I can help you."  In fact, they are sometimes much more harmful; they let us take a hard road, saying "don't worry, I'll help you!", and then they disappear.

This time, there are some persons who said so.  But I don't see their action after the actual patch appears.  Did they read it?  Did they verify it?  Do they have no opinion?  I don't know.  They must become busy suddenly.  If they would not return, I'd have to say they tried to bullshit us in an innocent way.

Thus, I do not trust such "kind" words.  True contributors do never say "I can contribute!", but do contribute first.

-- 
Yusuke Endoh <mame / tsg.ne.jp>

----------------------------------------
Feature #9439: Remove OpenSSL from stdlib
https://bugs.ruby-lang.org/issues/9439#change-44574

* Author: Zachary Scott
* Status: Open
* Priority: Normal
* Assignee: 
* Category: lib
* Target version: current: 2.2.0
----------------------------------------
Regarding [ruby-core:59943], I agree with nobu that we should remove OpenSSL from ruby.

It's become too hard to maintain, and would better serve our users to encourage the use of a different implementation.

Another benefit of removing OpenSSL is the impact backport fixes have on the release management team.

Although I haven't yet determined the extent of work required to remove it (ie: tooling, tests, etc). We can discuss them here.



-- 
http://bugs.ruby-lang.org/