Issue #10793 has been updated by Yui NARUSE.


As far as I remember we discussed this topic before (but I can't find the ticket/mail).

Anyway the conclusion is hash digests for tarballs should be available through https.
If people can get hash digest through a trusted way, people can trust the tarball.
(though MD5 is not suitable as you say)

A release announce has such hash digests through https.
You can use this https://www.ruby-lang.org/ja/news/2014/12/25/ruby-2-2-0-released/

----------------------------------------
Feature #10793: Infrastructure/Release-Management: Sign releases
https://bugs.ruby-lang.org/issues/10793#change-51281

* Author: Roland Moriz
* Status: Open
* Priority: Normal
* Assignee: 
----------------------------------------
Hi,

currently Ruby releases are not cryptographically signed and distributed unencrypted via http. While there are some MD5-hashes on the web-site, it's cumbersome to automate and MD5 is already insecure.
This is a huge security risk because currently it just takes a simple HTTP MITM attack to inject a backdoored ruby to downstream projects and end users, like e.g. the official Docker image (see https://github.com/docker-library/ruby/blob/master/2.2/Dockerfile#L12).

Please sign the release files with a release/maintainer pgp/gpg key.

Other OSS projects already sign their releases, e.g.:

- PHP http://php.net/downloads.php
- Python https://www.python.org/downloads/release/python-278/

Thank you.





-- 
https://bugs.ruby-lang.org/