I'm not sure what to do about the cert stuff, but we do need OpenSSL as a dependency since `gem push`, `gem owner`, and the like use SSL to talk to rubygems.org. Unless if you prefer your passwords sent in the clear. :)
On Mon, Jan 17, 2011 at 10:35 AM, Hiroshi Nakamura <[email protected]> wrote: > Hi, rubygems developers! > > Subject says it all, let me put forward a proposal of 'cert' command > deprecation (and eventually removal.) > > - 'cert' command is not used. There's almost no signed gem distributed. > > - the gem security feature discussed in RDoc of > lib/rubygems/security.rb looks it's an original trust-framework, which > means no security auditing is performed. It uses PKIX X509 > certificates but the certificate trust chain validation and > certificate verification is not conformed to RFC5280/3280. No CA > check, no keyUsage check, and validity period is checked partly > (test/rubygems/public_cert.pem is expired but test passes.) > > - the gem security implementation still has lots of TODOs according to > the RDoc but AFAIK no sign of progress. > > - It's the only reason why rubygems depends on openssl. With removing > 'cert' command, rubygems gets openssl free. > > To be honest, the last one is the most important reason for me, as an > author of CRuby's ext/openssl and as a committer of JRuby. :) > > I'm not familiar with rubygems so I should be misunderstanding > something. Please correct me if I'm wrong. Thank you for your > attention to my proposal. > > Regards, > // NaHi > _______________________________________________ > Rubygems-developers mailing list > http://rubyforge.org/projects/rubygems > [email protected] > http://rubyforge.org/mailman/listinfo/rubygems-developers > _______________________________________________ Rubygems-developers mailing list http://rubyforge.org/projects/rubygems [email protected] http://rubyforge.org/mailman/listinfo/rubygems-developers
