Issue #9439 has been updated by Martin Bosslet.


Aaron Patterson wrote:
> On Sat, Jan 25, 2014 at 12:32:12AM +0000, mame / tsg.ne.jp wrote:
>  > Issue #9439 has been updated by Yusuke Endoh.
>  > 
>  > 
>  > Aaron Patterson wrote:
>  > >  Can we take a less extreme approach?  We should convert openssl to a gem
>  > >  that ships with Ruby (like json, minitest, psych, etc).
>  > 
>  > Then, who will maintain the OpenSSL gem?
>  
>  Presumably Martin.  Did he abandon it?

No, not at all :) 

>  > Shyouhei's point is that we can no longer develop the OpenSSL extension.
>  > Just converting it to a gem does not solve the problem at all.
>  
>  Which problem are you referring to?
>  

Those who know me also know that I've had my trouble with OpenSSL and I've been working towards an alternative. But right now, I think people are overreacting. Let's not jump ship just yet, especially not with any viable alternative in sight. I guess we can all agree that RubyGems with SSL is better than nothing at all, and for that alone I believe we cannot discard Ruby OpenSSL, at least today. And while #9424 is getting fairly emotional and frustrating for both sides, I say it's nothing that can't be fixed at this point.

I do like the idea of gemifying OpenSSL though (and of course, I'd also continue to maintain it), mostly because it would be easier to ship updates without requiring a full release of Ruby itself all the time. But there's one big problem that is hard to solve. I had already been discussing this with JRuby devs. If we make OpenSSL a gem outside stdlib, we immediately run into a chicken-egg problem: To be secure, we would want https gem downloads - but to get https, we need... the OpenSSL gem. Something like TUF will hopefully lead us to an alternative in the future.

Pinning RubyGems or any relying software to a fixed hash of a trusted version only goes so far, because you would have to retrieve that hash with out-of-bands means first, probably from an https site. Automating this process, e.g. with an http download of the expected hash, doesn't work because this hash could easily be MITMed without an https connection.

My feeling is that removal might be a tad too drastic, at least right now, but then, my answer is probably biased :)


----------------------------------------
Feature #9439: Remove OpenSSL from stdlib
https://bugs.ruby-lang.org/issues/9439#change-44616

* Author: Zachary Scott
* Status: Open
* Priority: Normal
* Assignee: 
* Category: lib
* Target version: current: 2.2.0
----------------------------------------
Regarding [ruby-core:59943], I agree with nobu that we should remove OpenSSL from ruby.

It's become too hard to maintain, and would better serve our users to encourage the use of a different implementation.

Another benefit of removing OpenSSL is the impact backport fixes have on the release management team.

Although I haven't yet determined the extent of work required to remove it (ie: tooling, tests, etc). We can discuss them here.



-- 
http://bugs.ruby-lang.org/