On Fri, Jan 24, 2014 at 09:05:18PM +0000, usa / garbagecollect.jp wrote:
> Issue #9439 has been updated by Usaku NAKAMURA.
> 
> 
> I would like to clarify the problem.
> 
> As already stated, RubyGems uses OpenSSL.
> To say strictly, RubyGems uses OpenSSL for https, signing, and its verification.
> Therefore, the option which we can take is as follows:
> (1) Maintain the present condition. 
> (2) Remove OpenSSL and RubyGems together.
> (3) Prepare the alternate features of https, signing, and its verification after removing OpenSSL.
> (4) Remove the dependence to these features from RubyGems after removing OpenSSL.
> (5) Mixture of (3) and (4).  That is, remove the dependence to some features from RubyGems, and prepares substitutes about another features.
> 
> To my understanding, Shyouhei is taking a position on (4).
> That is, changing RubyGems to use plain http in default, and write substitutes for about signing and its verification (with GPG?).
> 
> There may be also a position in which (a part of) the features which OpenSSL offers is still required as a part of Ruby, even if RubyGems sets aside.
> I understand that Fabian said that the https support itself is required.
> 
> How do you think, everyone?

Can we take a less extreme approach?  We should convert openssl to a gem
that ships with Ruby (like json, minitest, psych, etc).  Then in case of
security issues in OpenSSL, we can just release the gem independently of
Ruby itself.  Such a case has already happened with the json gem.

I've done the initial work to make openssl a gem that ships with Ruby.
The patch is here:

  https://github.com/tenderlove/ruby/commit/fd96a5b1123ba1e56081ef2741a456096b4c4d12

It installs to my machine as a gem:

  https://dl.dropbox.com/s/km9msdsb0uuq3mj/ruby__bash__16136_20140124_105412.png

The downside is that the openssl extension uses Ruby internals
([ruby-core:60063]), so we can't actually ship a gem until it is
decoupled from Ruby internals.

Personally, I prefer that we continue to ship with openssl.  However,
even if I am in the minority, openssl must become a gem in order to
satisfy backwards compatibility requirements.  I would like to continue
to download my gems over SSL, use net/http in SSL mode, use securerandom
OpenSSL, etc. :-)

-- 
Aaron Patterson
http://tenderlovemaking.com/