That doesn't mean that this bug is not important, or that the Ruby team's decision as it currently stands is a good one. But it's a complex issue.
It is a crackers dream that so much Ruby code is being exposed to the web these days. Such low hanging fruit. Even the script kiddies laugh at the ease of compromise.
That's from ruby-core. That's a frightening attitude for a project to take.
While these are valid concerns, you can't wholly pass the buck to OpenSSL and to people installing a new version of OpenSSL and re-linking ruby against that -- ruby project should should always ship the most secure ruby possible, all the time.
Newer OpenSSL has already changed these defaults, smart people who know what they are doing have already agreed and documented that this is a good idea, and ruby is only hurting their users by dodging responsibility.
Would you rather have a ruby-core of honest, hardworking developers who prefer to "delegate the task to other people" who are experts in security - because they admit their own weaknesses, or a ruby-core of arrogant developers who overstep their area of expertise just to try and deliver your "most secure ruby possible" - but more than likely worsening security?
It sounds to me like they're doing the most responsible thing they possibly can given the circumstances. If you or anyone else is in a position to do better, then by all means, step up and bless the ruby world with your supreme intellect.
admitting weakness + asking for help != dodging responsibility
Knowingly shipping dangerous APIs is irresponsible.
OpenSSL is a god damned shitshow, no questions from me, it's bad, it's dangerous, it's irresponsible.
But they shipped something based on OpenSSL, and now they're making a deliberate decision not to act to protect their users. That's not cool, and that's unacceptable to me. If I actually used Ruby, this would make me reconsider that.
However the fact that other people should also be claiming responsibility for their own security does not absolve ruby of it's own responsibilities.
I inferred from this not that Ruby team doesn't care about security, but that they lack the expertise to handle it properly. They're aware of that, and choose to leave these decisions up to the experts.
It's a reasonable position, but, as a user, "We don't know how" doesn't help me any more than "We don't care".
Security - they've heard of it, at least now.