delorie.com/archives/browse.cgi | search |
X-Authentication-Warning: | delorie.com: mail set sender to geda-user-bounces using -f |
X-Recipient: | geda-user AT delorie DOT com |
IronPort-SDR: | PKGJMaMB7B73tHwMiryLtKZKm04to5aDpHCKD6x/eIGl8dF5KPf6OFCmKQii3kVYKb0L41D48G |
cL+FdhKOKuqw== | |
X-Ironport-SBRS: | None |
Date: | Mon, 11 Jan 2021 15:53:23 -0800 |
From: | "Larry Doolittle (ldoolitt AT recycle DOT lbl DOT gov) [via geda-user AT delorie DOT com]" <geda-user AT delorie DOT com> |
To: | geda-user <geda-user AT delorie DOT com> |
Subject: | Re: [geda-user] No https for pcb-rnd |
Message-ID: | <20210111235323.GB9305@recycle.lbl.gov> |
References: | <xnim84jsdh DOT fsf AT envy DOT delorie DOT com> |
<197408a7-1183-7805-6f84-7794386c52dc AT fastmail DOT com> | |
<CAHUm0tNfewMqL7mpXxuESB+r-vDYhO5vcRp+LfW-wXHjdkh=jw AT mail DOT gmail DOT com> | |
MIME-Version: | 1.0 |
In-Reply-To: | <CAHUm0tNfewMqL7mpXxuESB+r-vDYhO5vcRp+LfW-wXHjdkh=jw@mail.gmail.com> |
User-Agent: | Mutt/1.10.1 (2018-07-13) |
Reply-To: | geda-user AT delorie DOT com |
Errors-To: | nobody AT delorie DOT com |
X-Mailing-List: | geda-user AT delorie DOT com |
X-Unsubscribes-To: | listserv AT delorie DOT com |
Erich - On Tue, Jan 12, 2021 at 08:57:30AM +1030, Erich Heinzle (a1039181 AT gmail DOT com) [via geda-user AT delorie DOT com] wrote: > If you install pcb-rnd from a distribution, i.e. using a set of .deb files, > you are protected by the checksums and security packages the distribution > uses for its package distribution. Sure, but where does the _distribution_ get its source? I'm not a personally fan of mandating https, for some of the reasons alredy mentioned on this thread. Its illusion of security is stronger than its actual contribution to security. Authentication and supply chains are a pretty big deal in general these days. See SolarWinds, reproducible-builds.org, and bootstrappable.org. - Larry
webmaster | delorie software privacy |
Copyright © 2019 by DJ Delorie | Updated Jul 2019 |