On 12/11/2017 12:08, Matthew Finkel wrote: > On Mon, Dec 11, 2017 at 05:34:48PM +0100, WhiteWinterWolf wrote: > >> This is a reason why I personally like software and system updates to be >> served through HTTP instead of HTTPS. You don't need to fetch the same >> update for each environment each time from the remote vendor's system, >> you just need them to be somehow signed by him to ensure their authenticity. > That's fine, you should have this ability if you understand the > risks/consequences, but this should not be forced on other users. It is NOT forced. You can use SVN now over http OR https. >> This was just to give an example of why one would prefer to use HTTP >> over HTTPS, and how as highlighted by Karl Denninger a system which does >> too much may actually be harmful. > I disagree with this. The importance of message confidentiality doesn't > magically disappear because someone is retrieving public information. Again, let's target the actual problem.
Advocating the FORCING of https is IMHO utterly ridiculous for the reasons I pointed out. Today you CAN use https with svn if you wish. You are not *forced* to. There are good reasons not to, including caching. The problem with not knowing if what you got is authentic and not tampered with is simply not resolved by forcing https; it's an out-of-scope hack that fails to target the actual issue. A forced election of something that doesn't actually solve the problem is IMHO a political argument rather than a technical one. The issue of potentially-tampered-with source code not only can't be dealt with correctly through the use of https (at least not with the public CA infrastructure that "everyone" relies on for "pedestrian" https) there ARE other means of dealing with it correctly that do not require using https. That's where attention should be focused. -- Karl Denninger k...@denninger.net <mailto:k...@denninger.net> /The Market Ticker/ /[S/MIME encrypted email preferred]/
smime.p7s
Description: S/MIME Cryptographic Signature
