X-Authentication-Warning: delorie.com: mail set sender to geda-user-bounces using -f
X-Recipient: geda-user AT delorie DOT com
IronPort-SDR: PKGJMaMB7B73tHwMiryLtKZKm04to5aDpHCKD6x/eIGl8dF5KPf6OFCmKQii3kVYKb0L41D48G
 cL+FdhKOKuqw==
X-Ironport-SBRS: None
Date: Mon, 11 Jan 2021 15:53:23 -0800
From: "Larry Doolittle (ldoolitt AT recycle DOT lbl DOT gov) [via geda-user AT delorie DOT com]" <geda-user AT delorie DOT com>
To: geda-user <geda-user AT delorie DOT com>
Subject: Re: [geda-user] No https for pcb-rnd
Message-ID: <20210111235323.GB9305@recycle.lbl.gov>
References: <xnim84jsdh DOT fsf AT envy DOT delorie DOT com>
 <197408a7-1183-7805-6f84-7794386c52dc AT fastmail DOT com>
 <CAHUm0tNfewMqL7mpXxuESB+r-vDYhO5vcRp+LfW-wXHjdkh=jw AT mail DOT gmail DOT com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAHUm0tNfewMqL7mpXxuESB+r-vDYhO5vcRp+LfW-wXHjdkh=jw@mail.gmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Reply-To: geda-user AT delorie DOT com
Errors-To: nobody AT delorie DOT com
X-Mailing-List: geda-user AT delorie DOT com
X-Unsubscribes-To: listserv AT delorie DOT com
Precedence: bulk

Erich -

On Tue, Jan 12, 2021 at 08:57:30AM +1030, Erich Heinzle (a1039181 AT gmail DOT com) [via geda-user AT delorie DOT com] wrote:
> If you install pcb-rnd from a distribution, i.e. using a set of .deb files,
> you are protected by the checksums and security packages the distribution
> uses for its package distribution.

Sure, but where does the _distribution_ get its source?

I'm not a personally fan of mandating https, for some of the reasons alredy mentioned on this thread.
Its illusion of security is stronger than its actual contribution to security.
Authentication and supply chains are a pretty big deal in general these days.
See SolarWinds, reproducible-builds.org, and bootstrappable.org.

  - Larry