How should RG do a secure cert update without opening itself up to downloading a potentially malicious cert?
I don't know the answer to this and haven't looked into RG code in a long time.
If the infrastructure itself is versioned, then rubygems will know if it's out-of-date and can check that separately.
The same failure does not occur on a 64bit MRI on 64bit Ubuntu Server 13.10.
We could instead ship a complete set of trusted certificates like browsers do, but this adds a lot of maintenance burden.
If one of the certificates is compromised we need to quickly act to remove the certificate from the rubygems client through an update even when we don't use it.
If you provide an up-to-date certificate set when you provision software you should have no problems.
I have a script here which I use to check for new certs when things get out of date.
Perhaps @drbrain may have time to reply whether this is a legitimate scenario.