The list seems to have lost this, as it doesn't appear at
https://lists.debian.org/debian-security/2020/05/maillist.html.
-------- Forwarded Message --------
Subject: Re: Scripts that run insecurely-downloaded code
Date: Fri, 01 May 2020 22:51:05 +0000
From: Marcus Dean Adams <marcusdean.ad...@protonmail.com>
Reply-To: Marcus Dean Adams <marcusdean.ad...@protonmail.com>
To: Elmar Stellnberger <estel...@elstel.org>, Rebecca N. Palmer
<rebecca_pal...@zoho.com>, debian-security@lists.debian.org
It's better than nothing. Even if somebody were using self signed
certificates that aren't publicly trusted, the information would still
be encrypted in transit. Whether the other end is trustworthy is another
issue and up to the user and package maintainers to decide, but it
would, at the very least, make it more difficult for a third party to
manipulate the information between the intended endpoints. Since pretty
much anybody can get a free SSL/TLS certificate from LetsEncrypt, even
for your personal home network, for the majority of use cases there's
really no reason to use unencrypted http any more.
I digress, I'm going on a rant. I just wanted to state that I understand
the OP's concerns. I would start by just emailing the developers/package
maintainers for the project personally. I'm a firm believer with most
things in life that if you have a problem, you handle them at the lowest
possible level first and only escalate if necessary.
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Marcus Dean Adams
/"Civilization is the limitless multiplication/
/of unnecessary necessities."/
/-- Mark Twain/
On Fri, 2020-05-01 at 21:31 +0200, Elmar Stellnberger wrote:
[deleted -- Rebecca]
