"Leo Famulari" <l...@famulari.name> writes: > So, someone who could MITM as <https://ci.guix.gnu.org> could use their > own X.509 certificate and pretend to be that server.
IIUC, you agree with me that an attacker can't change the content of packages but can inspect what a user installs. This seems to contradict this paragraph: > HTTPS is recommended because communications are encrypted; conversely, > using HTTP makes all communications visible to an eavesdropper, who > could use the information gathered to determine, for instance, whether > your system has unpatched security vulnerabilities. If you believe the text is good as it is, please just ignore me and close the ticket. Thank you so much for Guix. -- Damien Cassou "Success is the ability to go from one failure to another without losing enthusiasm." --Winston Churchill
