[Bug 1467716] Re: "gem install" fetches packages from unencrypted HTTP URL

[Robie Basak]

Thank you for taking the time to report this bug and helping to make
Ubuntu better.

I know that years ago "gem install" was horribly insecure, but I believe
this has been improved upstream? So is this a bug in Ubuntu's packaging,
or is it that it is fixed in a newer upstream (and/or Ubuntu) release,
or is what you're reporting still a problem upstream?

I'll also note that using unencrypted HTTP isn't necessarily "insecure".
Cryptographic verification can be done using digital signatures outside
the transport protocol (for example apt does this), which is arguably
more secure because it protects data at rest as well as in transit. For
example, even if an apt mirror is compromised the signatures and thus
package contents cannot be since the apt repository private signing keys
aren't held on any mirror.

Finally, HTTPS doesn't necessarily protect privacy for software
repositories either, as any attacker who could compromise your HTTP
download can also observe the size and timing of your HTTPS downloads
and thus often be able to guess what packages you downloaded from a
repository that is already public.

So it would be useful if you could please clarify exactly what you mean
by "insecure", and what needs to be fixed in Ubuntu as opposed to what
is available in a newer release and what needs fixing upstream.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to ruby1.9.1 in Ubuntu.
https://bugs.launchpad.net/bugs/1467716

Title:
  "gem install" fetches packages from unencrypted HTTP URL

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ruby1.9.1/+bug/1467716/+subscriptions