On Jan 17, 2011, at 07:35, Hiroshi Nakamura wrote: > Hi, rubygems developers! > > Subject says it all, let me put forward a proposal of 'cert' command > deprecation (and eventually removal.) > > - 'cert' command is not used. There's almost no signed gem distributed.
I would like there to be more signed gems. Like many commands of RubyGems, users do not know about it. > - the gem security feature discussed in RDoc of > lib/rubygems/security.rb looks it's an original trust-framework, which > means no security auditing is performed. It uses PKIX X509 > certificates but the certificate trust chain validation and > certificate verification is not conformed to RFC5280/3280. No CA > check, no keyUsage check, and validity period is checked partly > (test/rubygems/public_cert.pem is expired but test passes.) Can you help us conform? I will look into these RFCs to improve validation. > - the gem security implementation still has lots of TODOs according to > the RDoc but AFAIK no sign of progress. Unfortunately I do not know much about building good security for gems. I am afraid to write code because I do not want to do it wrong (and there have been bigger problems to solve). > - It's the only reason why rubygems depends on openssl. With removing > 'cert' command, rubygems gets openssl free. > > To be honest, the last one is the most important reason for me, as an > author of CRuby's ext/openssl and as a committer of JRuby. :) > > I'm not familiar with rubygems so I should be misunderstanding > something. Please correct me if I'm wrong. Thank you for your > attention to my proposal. Since I have seen your other post, I will make openssl optional even for gem commands so that openssl is required only when necessary. Will this be sufficient? _______________________________________________ Rubygems-developers mailing list http://rubyforge.org/projects/rubygems Rubygems-developers@rubyforge.org http://rubyforge.org/mailman/listinfo/rubygems-developers
