[chef] Re: Re: Opscode Upgrade to Embedded Ruby

[Daniel Condomitti < >]

Are there plans to change that? I would expect that Chef server be one of the most critical services to ensure you're not being MITM'ed; especially when using hosted chef.

On Thursday, June 27, 2013 at 6:38 PM, Noah Kantrowitz wrote:

On Jun 27, 2013, at 6:32 PM, Tommy Fotak < "> > wrote:

Hi,

What is the policy of Chef releases with regard to Ruby releases?

For example there are ruby 1.9.3-p448 and 2.0.0-p247 releases that fix an SSL vulnerability, will Opscode make an 11.4.4 release with a new embedded Ruby?

Are we better off using the Chef gem in our managed Rubies over the Omnibus?

The relevant bug fix just blocks a potential issue in how Ruby verifies SSL certificates. Chef sets :verify_none by default, so there is technically no risk of hitting the bug :-) (the astute reader will note that this is because there is never any validation)

--Noah