ruby-core

Issue #12532 has been updated by Marcus R端ckert.


you don't want to ship an intree copy of openssl.

the proper solution is that people should use their package manager and *understand* how to use them.

maybe we should make ruby's build hard fail when linking openssl fails.

----------------------------------------
Misc #12532: OpenSSL is so Difficult to find for Ruby Build Scripts that it Introduces a Security flaw
https://bugs.ruby-lang.org/issues/12532#change-59412

* Author: Martin Vahi
* Status: Open
* Priority: Normal
* Assignee: 
----------------------------------------

The result is that people do 

http://stackoverflow.com/a/25186429

~~~
gem source -r https://rubygems.org/ 
gem source -a http://rubygems.org/
~~~

leading to simplified man-in-the-middle attacks.
Gems have build/installation scripts and the rest 
is, if not history, then the future.
I state that an out-dated OpenSSL in the Ruby 
installation is far better than no OpenSSL at all.
Therefore it is beneficial to embed a copy of 
the OpenSSL to the Ruby source, so that it 
gets built and is robustly available regardless
of the operating system peculiarities.

If that all sounds too mild, then there's another 
link for scaring the people, who read this comment:

https://theintercept.com/2014/03/20/inside-nsa-secret-efforts-hunt-hack-system-administrators/
(archival copy: https://archive.is/06Lr5 )

As a historical reference, according to the 
movie about the Alan Turing

http://www.imdb.com/title/tt2084970/

the German Enigma got cracked due to 
an operator error at the German operator side.
The people there were just too lazy to 
change the "key" thoroughly enough.

Thank You for reading my comment.




-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>