Infrastructure/Release-Management: Sign releases
currently Ruby releases are not cryptographically signed and distributed unencrypted via http. While there are some MD5-hashes on the web-site, it's cumbersome to automate and MD5 is already insecure.
This is a huge security risk because currently it just takes a simple HTTP MITM attack to inject a backdoored ruby to downstream projects and end users, like e.g. the official Docker image (see https://github.com/docker-library/ruby/blob/master/2.2/Dockerfile#L12).
Please sign the release files with a release/maintainer pgp/gpg key.
Other OSS projects already sign their releases, e.g.: