ruby-core

Issue #10793 has been updated by Shyouhei Urabe.


I'm not against the idea of additionaly signing the releases but,

Alexander E. Fischer wrote:
> Several commonly used TLS libraries such as OpenSSL and GnuTLS are plagued by security vulnerabilities

Then how can you say GnuPG is safe instead?  Where is the difference?

You are saying "SSL is insecure in general" and that is not a common idea I guess.

When HTTPS is in threat a system admin can and should fix their web server (maybe by upgrading the vulunerable SSL library, or by re-issueing the used certificate).  Isn't this enough for securly downloading ruby?  If you cannot trust our system admins will properly hande this situation and think they are malicious, then how on earth can you trust our products themselves?  They can issue canonical releases at will.  Or shouldn't they?  Then should who?

----------------------------------------
Feature #10793: Infrastructure/Release-Management: Sign releases
https://bugs.ruby-lang.org/issues/10793#change-56965

* Author: Roland Moriz
* Status: Open
* Priority: Normal
* Assignee: 
----------------------------------------
Hi,

currently Ruby releases are not cryptographically signed and distributed unencrypted via http. While there are some MD5-hashes on the web-site, it's cumbersome to automate and MD5 is already insecure.
This is a huge security risk because currently it just takes a simple HTTP MITM attack to inject a backdoored ruby to downstream projects and end users, like e.g. the official Docker image (see https://github.com/docker-library/ruby/blob/master/2.2/Dockerfile#L12).

Please sign the release files with a release/maintainer pgp/gpg key.

Other OSS projects already sign their releases, e.g.:

- PHP http://php.net/downloads.php
- Python https://www.python.org/downloads/release/python-278/

Thank you.





-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>