https://bugs.ruby-lang.org/https://bugs.ruby-lang.org/favicon.ico?17113305112015-01-29T06:31:50ZRuby Issue Tracking SystemRuby master - Feature #10793: Infrastructure/Release-Management: Sign releaseshttps://bugs.ruby-lang.org/issues/10793?journal_id=512812015-01-29T06:31:50Znaruse (Yui NARUSE)naruse@airemix.jp
<ul></ul><p>As far as I remember we discussed this topic before (but I can't find the ticket/mail).</p>
<p>Anyway the conclusion is hash digests for tarballs should be available through https.<br>
If people can get hash digest through a trusted way, people can trust the tarball.<br>
(though MD5 is not suitable as you say)</p>
<p>A release announce has such hash digests through https.<br>
You can use this <a href="https://www.ruby-lang.org/en/news/2014/12/25/ruby-2-2-0-released/" class="external">https://www.ruby-lang.org/en/news/2014/12/25/ruby-2-2-0-released/</a></p> Ruby master - Feature #10793: Infrastructure/Release-Management: Sign releaseshttps://bugs.ruby-lang.org/issues/10793?journal_id=569552016-02-11T09:51:38Zaef (Alexander E. Fischer)aef@raxys.net
<ul></ul><p>Yui NARUSE wrote:</p>
<blockquote>
<p>As far as I remember we discussed this topic before (but I can't find the ticket/mail).</p>
<p>Anyway the conclusion is hash digests for tarballs should be available through https.<br>
If people can get hash digest through a trusted way, people can trust the tarball.<br>
(though MD5 is not suitable as you say)</p>
<p>A release announce has such hash digests through https.<br>
You can use this <a href="https://www.ruby-lang.org/en/news/2014/12/25/ruby-2-2-0-released/" class="external">https://www.ruby-lang.org/en/news/2014/12/25/ruby-2-2-0-released/</a></p>
</blockquote>
<p>Several commonly used TLS libraries such as OpenSSL and GnuTLS are plagued by security vulnerabilities, some parts of the TLS standard have been backdoored by government agencies in the past and to be able use TLS you are expected to setup hundreds of highly non-transparent X.509 certificate authorities located in all kinds of jurisdictions all over the world. Even worse, the aforementioned CAs earn their livings by delegating your "trust" to mostly anyone that can afford it monetarily by providing intermediate certificate authorities.</p>
<p>HTTPS relies solely upon TLS for its security features. Therefore I argue that the security provided by the current HTTPS setup is very low.</p>
<p>Please reconsider to provide OpenPGP signatures (for example through GnuPG) for the release announcements including the release artifact checksums and/or the release artifacts (e.g. source code archives) themselves.</p>
<p>I am willing to provide support implementing this.</p> Ruby master - Feature #10793: Infrastructure/Release-Management: Sign releaseshttps://bugs.ruby-lang.org/issues/10793?journal_id=569652016-02-12T21:20:41Zshyouhei (Shyouhei Urabe)shyouhei@ruby-lang.org
<ul></ul><p>I'm not against the idea of additionaly signing the releases but,</p>
<p>Alexander E. Fischer wrote:</p>
<blockquote>
<p>Several commonly used TLS libraries such as OpenSSL and GnuTLS are plagued by security vulnerabilities</p>
</blockquote>
<p>Then how can you say GnuPG is safe instead? Where is the difference?</p>
<p>You are saying "SSL is insecure in general" and that is not a common idea I guess.</p>
<p>When HTTPS is in threat a system admin can and should fix their web server (maybe by upgrading the vulunerable SSL library, or by re-issueing the used certificate). Isn't this enough for securly downloading ruby? If you cannot trust our system admins will properly hande this situation and think they are malicious, then how on earth can you trust our products themselves? They can issue canonical releases at will. Or shouldn't they? Then should who?</p>