Project

General

Profile

Actions

Feature #10793

open

Infrastructure/Release-Management: Sign releases

Added by rmoriz (Roland Moriz) over 6 years ago. Updated over 5 years ago.

Status:
Open
Priority:
Normal
Assignee:
-
Target version:
-
[ruby-core:67862]

Description

Hi,

currently Ruby releases are not cryptographically signed and distributed unencrypted via http. While there are some MD5-hashes on the web-site, it's cumbersome to automate and MD5 is already insecure.
This is a huge security risk because currently it just takes a simple HTTP MITM attack to inject a backdoored ruby to downstream projects and end users, like e.g. the official Docker image (see https://github.com/docker-library/ruby/blob/master/2.2/Dockerfile#L12).

Please sign the release files with a release/maintainer pgp/gpg key.

Other OSS projects already sign their releases, e.g.:

Thank you.

Actions

Also available in: Atom PDF