[ruby-core:76194] [Ruby trunk Misc#12532] OpenSSL is so Difficult to find for Ruby Build Scripts that it Introduces a Security flaw
From:
martin.vahi@...1.com
Date:
2016-06-29 10:14:07 UTC
List:
ruby-core #76194
Issue #12532 has been updated by Martin Vahi. Actually, build scripts might try to use the operating system version of the OpenSSL and if they fail to use the operating system version, then they should use the embedded OpenSSL source as a backup option. ---------------------------------------- Misc #12532: OpenSSL is so Difficult to find for Ruby Build Scripts that it Introduces a Security flaw https://bugs.ruby-lang.org/issues/12532#change-59411 * Author: Martin Vahi * Status: Open * Priority: Normal * Assignee: ---------------------------------------- The result is that people do http://stackoverflow.com/a/25186429 ~~~ gem source -r https://rubygems.org/ gem source -a http://rubygems.org/ ~~~ leading to simplified man-in-the-middle attacks. Gems have build/installation scripts and the rest is, if not history, then the future. I state that an out-dated OpenSSL in the Ruby installation is far better than no OpenSSL at all. Therefore it is beneficial to embed a copy of the OpenSSL to the Ruby source, so that it gets built and is robustly available regardless of the operating system peculiarities. If that all sounds too mild, then there's another link for scaring the people, who read this comment: https://theintercept.com/2014/03/20/inside-nsa-secret-efforts-hunt-hack-system-administrators/ (archival copy: https://archive.is/06Lr5 ) As a historical reference, according to the movie about the Alan Turing http://www.imdb.com/title/tt2084970/ the German Enigma got cracked due to an operator error at the German operator side. The people there were just too lazy to change the "key" thoroughly enough. Thank You for reading my comment. -- https://bugs.ruby-lang.org/ Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe> <http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>