Comment 1 for bug 1467716

Thank you for taking the time to report this bug and helping to make Ubuntu better.

I know that years ago "gem install" was horribly insecure, but I believe this has been improved upstream? So is this a bug in Ubuntu's packaging, or is it that it is fixed in a newer upstream (and/or Ubuntu) release, or is what you're reporting still a problem upstream?

I'll also note that using unencrypted HTTP isn't necessarily "insecure". Cryptographic verification can be done using digital signatures outside the transport protocol (for example apt does this), which is arguably more secure because it protects data at rest as well as in transit. For example, even if an apt mirror is compromised the signatures and thus package contents cannot be since the apt repository private signing keys aren't held on any mirror.

Finally, HTTPS doesn't necessarily protect privacy for software repositories either, as any attacker who could compromise your HTTP download can also observe the size and timing of your HTTPS downloads and thus often be able to guess what packages you downloaded from a repository that is already public.

So it would be useful if you could please clarify exactly what you mean by "insecure", and what needs to be fixed in Ubuntu as opposed to what is available in a newer release and what needs fixing upstream.