From: darix@... Date: 2016-06-29T10:23:17+00:00 Subject: [ruby-core:76195] [Ruby trunk Misc#12532] OpenSSL is so Difficult to find for Ruby Build Scripts that it Introduces a Security flaw Issue #12532 has been updated by Marcus R��ckert. you don't want to ship an intree copy of openssl. the proper solution is that people should use their package manager and *understand* how to use them. maybe we should make ruby's build hard fail when linking openssl fails. ---------------------------------------- Misc #12532: OpenSSL is so Difficult to find for Ruby Build Scripts that it Introduces a Security flaw https://bugs.ruby-lang.org/issues/12532#change-59412 * Author: Martin Vahi * Status: Open * Priority: Normal * Assignee: ---------------------------------------- The result is that people do http://stackoverflow.com/a/25186429 ~~~ gem source -r https://rubygems.org/ gem source -a http://rubygems.org/ ~~~ leading to simplified man-in-the-middle attacks. Gems have build/installation scripts and the rest is, if not history, then the future. I state that an out-dated OpenSSL in the Ruby installation is far better than no OpenSSL at all. Therefore it is beneficial to embed a copy of the OpenSSL to the Ruby source, so that it gets built and is robustly available regardless of the operating system peculiarities. If that all sounds too mild, then there's another link for scaring the people, who read this comment: https://theintercept.com/2014/03/20/inside-nsa-secret-efforts-hunt-hack-system-administrators/ (archival copy: https://archive.is/06Lr5 ) As a historical reference, according to the movie about the Alan Turing http://www.imdb.com/title/tt2084970/ the German Enigma got cracked due to an operator error at the German operator side. The people there were just too lazy to change the "key" thoroughly enough. Thank You for reading my comment. -- https://bugs.ruby-lang.org/ Unsubscribe: