On Sun, Oct 29, 2017 at 07:21:27PM +0100, Julien Cristau wrote: > Package: popularity-contest > Version: 1.64 > Severity: normal > User: [email protected] > Usertags: needed-by-DSA-Team > X-Debbugs-Cc: [email protected] > > Hi, > > now that https://popcon.debian.org is a thing, we should update the > client to POST on https (without certificate checking if you don't want > to pull in that dependency?).
By design popcon must have minimal dependencies, otherwise results are skewed. > Then eventually, in a few (5+) years, > stop supporting plain http uploads. We still receive popcon submission from popcon 1.25 released in 2004. So we would likely receive http submission until 2030. At this stage the webserver will need to be compatible with 13-years old crypto implementations used by popcon-upload from 2017. Maybe I am overoptimistic, but OpenPGP seems to be simpler and moving more slowly than TLS. So it seems safer to stick with http + OpenPGP. Cheers, -- Bill. <[email protected]> Imagine a large red swirl here.

