Hi, rubygems developers! Subject says it all, let me put forward a proposal of 'cert' command deprecation (and eventually removal.)
- 'cert' command is not used. There's almost no signed gem distributed. - the gem security feature discussed in RDoc of lib/rubygems/security.rb looks it's an original trust-framework, which means no security auditing is performed. It uses PKIX X509 certificates but the certificate trust chain validation and certificate verification is not conformed to RFC5280/3280. No CA check, no keyUsage check, and validity period is checked partly (test/rubygems/public_cert.pem is expired but test passes.) - the gem security implementation still has lots of TODOs according to the RDoc but AFAIK no sign of progress. - It's the only reason why rubygems depends on openssl. With removing 'cert' command, rubygems gets openssl free. To be honest, the last one is the most important reason for me, as an author of CRuby's ext/openssl and as a committer of JRuby. :) I'm not familiar with rubygems so I should be misunderstanding something. Please correct me if I'm wrong. Thank you for your attention to my proposal. Regards, // NaHi _______________________________________________ Rubygems-developers mailing list http://rubyforge.org/projects/rubygems Rubygems-developers@rubyforge.org http://rubyforge.org/mailman/listinfo/rubygems-developers
