Issue #9439 has been updated by Aaron Patterson.


 On Fri, Jan 24, 2014 at 09:05:18PM +0000, usa / garbagecollect.jp wrote:
 > Issue #9439 has been updated by Usaku NAKAMURA.
 > 
 > 
 > I would like to clarify the problem.
 > 
 > As already stated, RubyGems uses OpenSSL.
 > To say strictly, RubyGems uses OpenSSL for https, signing, and its verification.
 > Therefore, the option which we can take is as follows:
 > (1) Maintain the present condition. 
 > (2) Remove OpenSSL and RubyGems together.
 > (3) Prepare the alternate features of https, signing, and its verification after removing OpenSSL.
 > (4) Remove the dependence to these features from RubyGems after removing OpenSSL.
 > (5) Mixture of (3) and (4).  That is, remove the dependence to some features from RubyGems, and prepares substitutes about another features.
 > 
 > To my understanding, Shyouhei is taking a position on (4).
 > That is, changing RubyGems to use plain http in default, and write substitutes for about signing and its verification (with GPG?).
 > 
 > There may be also a position in which (a part of) the features which OpenSSL offers is still required as a part of Ruby, even if RubyGems sets aside.
 > I understand that Fabian said that the https support itself is required.
 > 
 > How do you think, everyone?
 
 Can we take a less extreme approach?  We should convert openssl to a gem
 that ships with Ruby (like json, minitest, psych, etc).  Then in case of
 security issues in OpenSSL, we can just release the gem independently of
 Ruby itself.  Such a case has already happened with the json gem.
 
 I've done the initial work to make openssl a gem that ships with Ruby.
 The patch is here:
 
   https://github.com/tenderlove/ruby/commit/fd96a5b1123ba1e56081ef2741a456096b4c4d12
 
 It installs to my machine as a gem:
 
   https://dl.dropbox.com/s/km9msdsb0uuq3mj/ruby__bash__16136_20140124_105412.png
 
 The downside is that the openssl extension uses Ruby internals
 ([ruby-core:60063]), so we can't actually ship a gem until it is
 decoupled from Ruby internals.
 
 Personally, I prefer that we continue to ship with openssl.  However,
 even if I am in the minority, openssl must become a gem in order to
 satisfy backwards compatibility requirements.  I would like to continue
 to download my gems over SSL, use net/http in SSL mode, use securerandom
 OpenSSL, etc. :-)
 
 -- 
 Aaron Patterson
 http://tenderlovemaking.com/

----------------------------------------
Feature #9439: Remove OpenSSL from stdlib
https://bugs.ruby-lang.org/issues/9439#change-44581

* Author: Zachary Scott
* Status: Open
* Priority: Normal
* Assignee: 
* Category: lib
* Target version: current: 2.2.0
----------------------------------------
Regarding [ruby-core:59943], I agree with nobu that we should remove OpenSSL from ruby.

It's become too hard to maintain, and would better serve our users to encourage the use of a different implementation.

Another benefit of removing OpenSSL is the impact backport fixes have on the release management team.

Although I haven't yet determined the extent of work required to remove it (ie: tooling, tests, etc). We can discuss them here.



-- 
http://bugs.ruby-lang.org/