https://bz.apache.org/bugzilla/show_bug.cgi?id=65345
--- Comment #4 from Michael Osipov <micha...@apache.org> --- (In reply to J.M. (Martijn) Kruithof from comment #3) > If there is > 1) not legal reason to have http instead of https in the snippet referring > to the location of the actual license, > 2) there is a security reason to use https in the snippet (avoiding MiTM / > supply chain attacks) > 3) the http version is a permanent redirect to the https version and not the > document itself > 4) the FAQ also points to the https version > > What would be the reason to refer to the http version instead? > > Note again this is not about the link in the license itself, that has been > kept at http. > > In my daytime job I have been confronted with several attacks of the 2nd > kind, especially on wifi networks that should not have been trusted by the > user. My understanding that the URLs aren't the same from a license PoV. Since the LEGAL issues did not resolve the issue, I wouldn't use HTTPS in those files. -- You are receiving this mail because: You are the assignee for the bug.
