On 24.02.2023 23:55, Demi Marie Obenour wrote: > On Tue, Feb 21, 2023 at 11:07:58AM +0100, Jan Beulich wrote: >> On 19.02.2023 03:46, Demi Marie Obenour wrote: >>> --- a/stubdom/configure >>> +++ b/stubdom/configure >>> @@ -3535,7 +3535,7 @@ if test "x$ZLIB_URL" = "x"; then : >>> if test "x$extfiles" = "xy"; then : >>> ZLIB_URL=\$\(XEN_EXTFILES_URL\) >>> else >>> - ZLIB_URL="http://www.zlib.net"; >>> + ZLIB_URL="https://www.zlib.net"; >>> fi >> >> In v3 you said that this URL can't be used anymore for the version we're >> trying to fetch (which I can confirm). Leaving aside the question of why >> stubdom was never updated in that regard, what use is it to update URL >> (without even mentioning the aspect in the description) in such a case? >> (I haven't gone through any of the other URLs again, so there may well >> be more similar cases.) > > Main advantage is that it will fail securely rather than downloading > whatever random code an MITM attacker put in there.
As said before (and implied here): At the very least you need to mention the aspect in the description. But then wouldn't things be failing equally securely if no (non-working) URL was put in place, or one which is guaranteed to yield an error but makes obvious that no real URL is meant? Jan
