[ruby-core:76201] [Ruby trunk Misc#12532][Rejected] OpenSSL is so Difficult to find for Ruby Build Scripts that it Introduces a Security flaw
From:
k@...
Date:
2016-06-29 13:13:10 UTC
List:
ruby-core #76201
Issue #12532 has been updated by Kazuki Yamaguchi. Status changed from Open to Rejected Martin Vahi wrote: > The result is that people do > > http://stackoverflow.com/a/25186429 > > ~~~ > gem source -r https://rubygems.org/ > gem source -a http://rubygems.org/ > ~~~ > > leading to simplified man-in-the-middle attacks. > Gems have build/installation scripts and the rest > is, if not history, then the future. ~~~ $ gem install <something> Error: while executing gem (Gem::Exception) Unable to require openssl. install openSSL and rebuilt ruby (preferred) or use non HTTPs sources ~~~ The error message clearly says that rebuilding Ruby with ext/openssl is preferred. It is the responsibility of the user not to follow that. > I state that an out-dated OpenSSL in the Ruby > installation is far better than no OpenSSL at all. > Therefore it is beneficial to embed a copy of > the OpenSSL to the Ruby source, so that it > gets built and is robustly available regardless > of the operating system peculiarities. I don't think so. A broken OpenSSL doesn't improve security at all. Since OpenSSL (or LibreSSL) is usually already installed on the system, the real problem is that the user is not passing a correct --with-openssl-dir to the configure script, or the user just forgets to install the header files. ---------------------------------------- Misc #12532: OpenSSL is so Difficult to find for Ruby Build Scripts that it Introduces a Security flaw https://bugs.ruby-lang.org/issues/12532#change-59415 * Author: Martin Vahi * Status: Rejected * Priority: Normal * Assignee: ---------------------------------------- The result is that people do http://stackoverflow.com/a/25186429 ~~~ gem source -r https://rubygems.org/ gem source -a http://rubygems.org/ ~~~ leading to simplified man-in-the-middle attacks. Gems have build/installation scripts and the rest is, if not history, then the future. I state that an out-dated OpenSSL in the Ruby installation is far better than no OpenSSL at all. Therefore it is beneficial to embed a copy of the OpenSSL to the Ruby source, so that it gets built and is robustly available regardless of the operating system peculiarities. If that all sounds too mild, then there's another link for scaring the people, who read this comment: https://theintercept.com/2014/03/20/inside-nsa-secret-efforts-hunt-hack-system-administrators/ (archival copy: https://archive.is/06Lr5 ) As a historical reference, according to the movie about the Alan Turing http://www.imdb.com/title/tt2084970/ the German Enigma got cracked due to an operator error at the German operator side. The people there were just too lazy to change the "key" thoroughly enough. Thank You for reading my comment. -- https://bugs.ruby-lang.org/ Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe> <http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>