Issue #10793 has been reported by Roland Moriz. ---------------------------------------- Feature #10793: Infrastructure/Release-Management: Sign releases https://bugs.ruby-lang.org/issues/10793 * Author: Roland Moriz * Status: Open * Priority: Normal * Assignee: ---------------------------------------- Hi, currently Ruby releases are not cryptographically signed and distributed unencrypted via http. While there are some MD5-hashes on the web-site, it's cumbersome to automate and MD5 is already insecure. This is a huge security risk because currently it just takes a simple HTTP MITM attack to inject a backdoored ruby to downstream projects and end users, like e.g. the official Docker image (see https://github.com/docker-library/ruby/blob/master/2.2/Dockerfile#L12). Please sign the release files with a release/maintainer pgp/gpg key. Other OSS projects already sign their releases, e.g.: - PHP http://php.net/downloads.php - Python https://www.python.org/downloads/release/python-278/ Thank you. -- https://bugs.ruby-lang.org/