>>> In another thread, I think Tom C says we should be using https to >>>deliver >>> all of our bits, which we aren’t today. What do folks think? >> >>-1. We are already doing MD5 checks on downloaded artifacts. I am not >>sure what benefit https is going to add here. > > It looks like we currently pull our MD5 files over https. So changing to > pull the installer config files over http probably just means folks will > get stuck on the MD5 fetch. Does changing the MD5 download to HTTP make > it unsecure?
Only if you think a man-in-the-middle attack that hijacks both the download and the MD5 request is more likely than the bad guys having backdoor access to the servers actually hosting those files. And given the fact that those servers reside in the US and that Snowden's main revelation wasn't about a foreign power having access to nearly every bit in the US, I say we don't worry too much about it ;-) EdB -- Ix Multimedia Software Jan Luykenstraat 27 3521 VB Utrecht T. 06-51952295 I. www.ixsoftware.nl