From: Aaron Patterson Date: 2014-01-24T15:45:48-08:00 Subject: [ruby-core:60075] Re: [ruby-trunk - Feature #9439] Remove OpenSSL from stdlib On Fri, Jan 24, 2014 at 09:05:18PM +0000, usa@garbagecollect.jp wrote: > Issue #9439 has been updated by Usaku NAKAMURA. > > > I would like to clarify the problem. > > As already stated, RubyGems uses OpenSSL. > To say strictly, RubyGems uses OpenSSL for https, signing, and its verification. > Therefore, the option which we can take is as follows: > (1) Maintain the present condition. > (2) Remove OpenSSL and RubyGems together. > (3) Prepare the alternate features of https, signing, and its verification after removing OpenSSL. > (4) Remove the dependence to these features from RubyGems after removing OpenSSL. > (5) Mixture of (3) and (4). That is, remove the dependence to some features from RubyGems, and prepares substitutes about another features. > > To my understanding, Shyouhei is taking a position on (4). > That is, changing RubyGems to use plain http in default, and write substitutes for about signing and its verification (with GPG?). > > There may be also a position in which (a part of) the features which OpenSSL offers is still required as a part of Ruby, even if RubyGems sets aside. > I understand that Fabian said that the https support itself is required. > > How do you think, everyone? Can we take a less extreme approach? We should convert openssl to a gem that ships with Ruby (like json, minitest, psych, etc). Then in case of security issues in OpenSSL, we can just release the gem independently of Ruby itself. Such a case has already happened with the json gem. I've done the initial work to make openssl a gem that ships with Ruby. The patch is here: https://github.com/tenderlove/ruby/commit/fd96a5b1123ba1e56081ef2741a456096b4c4d12 It installs to my machine as a gem: https://dl.dropbox.com/s/km9msdsb0uuq3mj/ruby__bash__16136_20140124_105412.png The downside is that the openssl extension uses Ruby internals ([ruby-core:60063]), so we can't actually ship a gem until it is decoupled from Ruby internals. Personally, I prefer that we continue to ship with openssl. However, even if I am in the minority, openssl must become a gem in order to satisfy backwards compatibility requirements. I would like to continue to download my gems over SSL, use net/http in SSL mode, use securerandom OpenSSL, etc. :-) -- Aaron Patterson http://tenderlovemaking.com/