Ruby » Ruby master

Martin Vahi wrote:

The result is that people do

http://stackoverflow.com/a/25186429

gem source -r https://rubygems.org/ 
gem source -a http://rubygems.org/

leading to simplified man-in-the-middle attacks.
Gems have build/installation scripts and the rest
is, if not history, then the future.

$ gem install <something>
Error: while executing gem (Gem::Exception)
  Unable to require openssl. install openSSL and rebuilt ruby (preferred) or use non HTTPs sources

The error message clearly says that rebuilding Ruby with ext/openssl is preferred. It is the responsibility of the user not to follow that.

I state that an out-dated OpenSSL in the Ruby
installation is far better than no OpenSSL at all.
Therefore it is beneficial to embed a copy of
the OpenSSL to the Ruby source, so that it
gets built and is robustly available regardless
of the operating system peculiarities.

I don't think so. A broken OpenSSL doesn't improve security at all. Since OpenSSL (or LibreSSL) is usually already installed on the system, the real problem is that the user is not passing a correct --with-openssl-dir to the configure script, or the user just forgets to install the header files.