With all due respect.... this is /dumb/. You want our software to go downloading things without verifying their origin? Do you /really/ trust the quality of our code to the point where you're going to risk it being a vector for things like arbitrary executions on our watch? It's not 1995 anymore. /Everything/ on the internet should be done with verified security. There are so, SO many ways to exploit insecure connections.
I don't know about you, but I've /seen/ kicad's code, and I do not trust it to handle things downloaded from arbitrary, unverified locations without having at least a look over what's been downloaded. > For Github, https links are used just because http links do not exist. > This is the only one reason. > There is a REASON for this. On Fri, Dec 04, 2015 at 01:13:39PM +0100, jp charras wrote: > Le 04/12/2015 12:43, Brian Sidebotham a écrit : > > Please don't simply disable SSL verification - this is really only > > useful for self-signed certs. > > > > Instead, use something along the lines of > > > > curl_easy_setopt( curl, CURLOPT_CAINFO, "ca-bundle.crt"); > > > > This is a Windows-specific problem, so I would ifdef that setting and > > package the ca-bundle.crt in the windows installer. > > > > You can get up-to-date certificate bundles from: > > http://curl.haxx.se/docs/caextract.html > > > > Best Regards, > > > > Brian. > > I understand what you mean, but I am pretty sure avhttp did not test > certificates. > Using a certificate just to download lib files is perhaps a bit overkill > (after all, most of pdf docs of our components are downloaded from http > connections, not certified) > > I am thinking the certificate ca-bundle.crt is OK (cURL works fine since > I updated it), but it is just not found by Kicad (It could be fixed). > > I am worried by the fact most of Kicad users know nothing about > certificates, and using them is open a door to a lot of bug reports (the > fp lib table issues could be zilch compared to that). > > But what is the *actual* interest in using a certificate just to > download libraries or 3D models? (At least as default option: it could > be used on request, as an option) > (Remember libraries are not necessary stored on Github.) > > For Github, https links are used just because http links do not exist. > This is the only one reason. > > -- > Jean-Pierre CHARRAS > > _______________________________________________ > Mailing list: https://launchpad.net/~kicad-developers > Post to : [email protected] > Unsubscribe : https://launchpad.net/~kicad-developers > More help : https://help.launchpad.net/ListHelp _______________________________________________ Mailing list: https://launchpad.net/~kicad-developers Post to : [email protected] Unsubscribe : https://launchpad.net/~kicad-developers More help : https://help.launchpad.net/ListHelp
