During the [discussion](https://groups.google.com/d/msg/sage-devel/fE45025Wphs/mKdCAeNhAgAJ) of the inclusion of OpenSSL, a few remarks were mafdeabout the security of our distribution infrastructure.
It has been noted that http is ridiculously easy to hijack <https://groups.google.com/d/msg/sage-devel/fE45025Wphs/3dfTByrIAQAJ>, and some have remarked <https://groups.google.com/d/msg/sage-devel/fE45025Wphs/FheYtjBWAAAJ> that this potential threat also applied to the http downloads from our mirrors. *I think we should consider this issue, an plan to post (Real Soon Now) a call for discussion about this.* What is the relevant list ? Others remarked <https://groups.google.com/d/msg/sage-devel/fE45025Wphs/podOAX89AAAJ> that a non-SSL-enabled pip, which impedes, for example, downloading from Pipy, sort-of enhanced security by suppressing a possible source of attack. No comments... I have a few questions : * Would it be difficult/onerous/cumbersome to ask our mirrors to switch to https-only service ? * Would such a measure significantly lower the possibility of attacks of a Sage user/developer machine via "http hijacking" ? * what is the likelihood of such an attack ? Your inputs, please... -- Emmanuel Charpentier -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/sage-devel. For more options, visit https://groups.google.com/d/optout.
