On Sunday, 24 May 2020 20:00:28 CEST gregor herrmann wrote: > > So, what are people's thoughts? Do we want to take this position > > and change the default in Debian? Extending distribution to debian-perl > > for wider visibility. > > A tentative "yes" from me :)
A more firm "yes" from me ;-) > Maybe we should seek communication with upstream in > https://github.com/chansen/p5-http-tiny/issues/68 (or a new issue > since that one is closed) as a next step? I do not really agree with the rationale of https://github.com/chansen/p5-http-tiny/issues/68. Most people won't make an informed decision because they won't realize that TLS is disabled. The only way for people to make an informed decision is to exit on error when verify_ssl is not defined, which is not really user friendly ;-) I think TLS should be verified by default, even more so in Debian because our list of trusted CA is regularly updated. All the best
