Le lundi 23 octobre 2017 15:44:09 UTC+2, Erik Bray a écrit : > > On Mon, Oct 23, 2017 at 3:28 PM, Emmanuel Charpentier > <emanuel.c...@gmail.com <javascript:>> wrote: > >> It should be possible to disable the requirement at > >> configure time and fallback to a different default. It's a shame we > >> require a patch for this for now but I can help push for an upstream > >> fix to this if need be, because I think it's fairly silly. > > > > > > Could you explain why ? I think that the move towards authentication of > the > > download sources is a Good Idea (TM), but I may be wrong. In any case, > the > > "silliness" of this is nor obvious to my dentist's eyes... > > Perhaps this should clarify: If the CRAN service is switched to using > HTTPS, then it can't be accessed without HTTPS. If the user tries to > access the site with software that doesn't have HTTPS support then > they are prevented from performing insecure downloads, QED. > > In other words, the security here is being provided by the service. > The client is free to decide whether or not they wish to implement > their end in order to be able to access the service. >
Indeed. But since R is "the software" used to access CRAN, the authors of "this software" want to be sre that "saif software" is indeed able to access it. Sounds sound to me : not a security problem, but just plain old specificatin of an essential requirement. Where is the silliness ? -- Emmanuel Charpentier -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to sage-devel+unsubscr...@googlegroups.com. To post to this group, send email to sage-devel@googlegroups.com. Visit this group at https://groups.google.com/group/sage-devel. For more options, visit https://groups.google.com/d/optout.