As noted in Novell's bug report [1], gem will install ruby gems via http:// when it could do so via https://. I checked and on Fedora 18 at least, with no /etc/gemrc, the install is done via http: sudo gem install --verbose haml [sudo] password for vdanen: GET http://rubygems.org/latest_specs.4.8.gz 200 OK GET http://rubygems.org/quick/Marshal.4.8/haml-4.0.3.gemspec.rz 302 Moved Temporarily GET http://bb-m.rubygems.org/quick/Marshal.4.8/haml-4.0.3.gemspec.rz 200 OK GET http://rubygems.org/quick/Marshal.4.8/tilt-1.4.1.gemspec.rz 302 Moved Temporarily GET http://production.cf.rubygems.org/quick/Marshal.4.8/tilt-1.4.1.gemspec.rz 200 OK Installing gem tilt-1.4.1 Downloading gem tilt-1.4.1.gem GET http://rubygems.org/gems/tilt-1.4.1.gem 302 Moved Temporarily GET http://production.cf.rubygems.org/gems/tilt-1.4.1.gem Fetching: tilt-1.4.1.gem (100%) 200 OK However, by having an /etc/gemrc installed by default with the following contents: % cat /etc/gemrc :sources: - https://rubygems.org We can have the gems retrieved via https: sudo gem install --verbose haml GET https://rubygems.org/latest_specs.4.8.gz 302 Moved Temporarily GET https://s3.amazonaws.com/production.s3.rubygems.org/latest_specs.4.8.gz 304 Not Modified Installing gem tilt-1.4.1 Downloading gem tilt-1.4.1.gem GET https://rubygems.org/gems/tilt-1.4.1.gem 302 Moved Temporarily GET https://s3.amazonaws.com/production.s3.rubygems.org/gems/tilt-1.4.1.gem Fetching: tilt-1.4.1.gem (100%) 200 OK This isn't a flaw, precisely, but it would be a good hardening step to ensure we get gems installed via https. [1] https://bugzilla.novell.com/show_bug.cgi?id=834785
This is how it looks on my F19: $ GEM_HOME=~/https gem install --verbose haml HEAD https://rubygems.org/latest_specs.4.8.gz 302 Moved Temporarily HEAD https://s3.amazonaws.com/production.s3.rubygems.org/latest_specs.4.8.gz 200 OK GET https://rubygems.org/latest_specs.4.8.gz 302 Moved Temporarily GET https://s3.amazonaws.com/production.s3.rubygems.org/latest_specs.4.8.gz 200 OK GET https://rubygems.org/quick/Marshal.4.8/haml-4.0.3.gemspec.rz 302 Moved Temporarily GET https://s3.amazonaws.com/production.s3.rubygems.org/quick/Marshal.4.8/haml-4.0.3.gemspec.rz 200 OK Installing gem tilt-1.4.1 Downloading gem tilt-1.4.1.gem GET https://rubygems.org/gems/tilt-1.4.1.gem 302 Moved Temporarily GET https://s3.amazonaws.com/production.s3.rubygems.org/gems/tilt-1.4.1.gem Fetching: tilt-1.4.1.gem (100%) 200 OK I guess this behavior changed with RubyGems 2.0, so F19+ are OK. I don't consider it worth of effort to change the behavior on F18, but I won't object if anyone else wants to do it.
If F19+ is ok (haven't installed it yet so can't test), then I'm not overly worried about F18. Thanks for looking.