> On Sep 1, 2017, at 3:49 AM, Ask Bjørn Hansen <a...@perl.org> wrote: > > The Google change was the impetus to get around to it. > > Clients should use TLS to request content. It limits the trust for > downloading CPAN content roughly to: > > - The author > - PAUSE system maintainers > - perl.org infrastructure maintainers > - Fastly > - Global CA infrastructure > > Without TLS you basically trust anyone with any sort of access to your > internet connection to not muck with the code you receive. > > Obviously the real fix here is that clients need to request via TLS (since I > doubt any clients other than regular browsers support HSTS).
As an (interesting?) aside, the Net::HTTP test suite just broke because of the 301 from http://www.cpan.org to https://www.cpan.org https://github.com/libwww-perl/Net-HTTP/issues/53 Obviously that test made some assumptions which no longer hold up. :) A fix has been released. I just point it out as an unexpected side effect of making these sorts of changes. Olaf
