Project

General

Profile

Bug #15384

ssl_certs are duplicated in RubyGems and Bundler

Added by vo.x (Vit Ondruch) 8 days ago. Updated 7 days ago.

Status:
Assigned
Priority:
Normal
Target version:
-
ruby -v:
ruby 2.6.0dev (2018-11-29 trunk 66092) [x86_64-linux]
[ruby-core:90313]

Description

It is pity that the same ssl_certs are shipped on multiple places, once as part of RubyGems and the other set as part of Bundler. This makes the security review much harder (actually, in Fedora/RHEL packages, we are not supposed to ship any certificates, so it makes it harder to remove them).

Therefore, please ship just one copy of the certificates if really necessary (it should not be necessary on properly maintained systems).

History

#1 [ruby-core:90324] Updated by shevegen (Robert A. Heiler) 7 days ago

Agree on the "one rather than two". It is probably redundant after the merge.

I can't answer the second sentence since there may have been (different?)
reasons for adding certificates - but it would make sense to require only
one rather than two either way.

#2 [ruby-core:90335] Updated by hsbt (Hiroshi SHIBATA) 7 days ago

  • Assignee set to hsbt (Hiroshi SHIBATA)
  • Status changed from Open to Assigned

Also available in: Atom PDF