On Sat, Jan 04, 2014 at 10:58:16AM +0100, Marc Lehmann wrote: > On Fri, Jan 03, 2014 at 10:43:43PM +0200, Alex Efros <[email protected]> > wrote: > > On Fri, Jan 03, 2014 at 08:51:44PM +0100, Marc Lehmann wrote: > > > On Fri, Jan 03, 2014 at 04:35:46PM +0100, Mariska Koch <[email protected]> > > > wrote: > > > > Can you distribute your source code (the tar.gz files) via for example > > > > https > > > What would the point of https be? > > > > To make sure sources won't be compromised while downloading using MITM > > attack. > > Well, https can't do that.
Well, data in a https connection cannot be trivially exchanged with something else without having the key. In my opinion that would be the whole point, to prevent trivial attacks. > > > And that somehow makes it trustworthy? And how would users know that from > > > a signature anyway? Who would be the trust broker for the signature? > > > > Users will know this signature is from official website, protected by https. > > https can't do that. > > > This won't protect against government agencies who able to get fake https > > certificate for any website signed by one of hundreds CA trusted by > > major browsers, but for all other cases it should provide assurance to > > I think for abyody who didn't live under a rock for the last two years > (security-wise), it should be obvious that this isn't true - you don't > have to be a government agency to get fake certificates at all. That's correct, but not the point. > > user what she really downloaded unmodified file from official website. > > Which, in itself, isn't that helpful (nobody is interested whether the > file is modified or not, people are interested in whether the contents are > harmful or not). Of course I want to know whether the file I downloaded was modified during download. The software being harmful or not by itself is a different story. > > If not for real users, this may be useful for distributive > > developers, to minimize chance to occasionally include compromised > > version of some software. > > (What is a distributive developer?) I am pretty sure what he meant is a package maintainer of a linux distribution. > > Some users (including me) prefer to use https whenever possible for any > > website (and use browser plugins to enforce this), so it's always good > > idea to make _any_ website available using https. > > I don't think it is particularly convincing to say that using https is > alwas a good idea because you prefer it :) It is generally a good idea. Or do you have any examples of negative effects of its usage? > > BTW, startssl.com provides https certificates for free. > > Interesting, nice to know (but I don't trust any CAs except my own). Yes, there is absolutely no point in trusting some random company. Kind regards, -Alex _______________________________________________ rxvt-unicode mailing list [email protected] http://lists.schmorp.de/cgi-bin/mailman/listinfo/rxvt-unicode
