On 13/07/16 13:21, Lawrence Paulson wrote:
> I’m not sure that digitally signed components are really something to work on
> now.
I've asked myself this question occasionally, just to get rid of
additional user interaction when running the main Isabelle application
for the first time on Mac OS X
On 13/07/16 15:50, Makarius wrote:
>
> I will take another look at curl. It seems to be universally
> available on all platforms now, with very similar versions and
> installation options.
See now:
changeset: 63490:9416333a17c2
user:wenzelm
date:Thu Jul 14 12:20:20 2016 +0200
f
On 13/07/16 00:28, Lars Hupel wrote:
>
> Because we don't sign components, we should at least make them available
> over HTTPS. This is the bare minimum according to security best practices.
>
> Potential disadvantage: Fetching from HTTPS using Perl's libwww requires
> an addon package ("LWP-Prot
I’m not sure that digitally signed components are really something to work on
now. Are we really concerned about malicious attacks against our servers?
Larry
> On 13 Jul 2016, at 00:56, Gerwin Klein wrote:
>
> I agree, we should do that.
>
> Ideally, we should actually sign those components. T
I agree, we should do that.
Ideally, we should actually sign those components. The
downloading/receiving/checking side is not too hard to automate, but it would
require entering the private key keyphrase when you are signing (providing) a
new component.
Cheers,
Gerwin
> On 13 Jul 2016, at 08:
Dear Isabelle developers,
all of the critical Isabelle infrastructure (even website mirrors) is
reachable via HTTPS. For Jenkins, it's not so important. For executable
code, it is very important. Hence I would like to propose a simple
change in the global "etc/settings":
-ISABELLE_COMPONENT_REPOS