On Mon, Jul 27, 2015 at 5:46 PM, Hannes Magnusson <bj...@php.net> wrote:
> On Mon, Jul 27, 2015 at 12:32 AM, Ferenc Kovacs <tyr...@gmail.com> wrote: > > Hi, > > > > I've just realized that even thought https://pear.php.net/ is > available, we > > are still downloading the install-pear-nozlib.phar via http:// in > > pear/Makefile.frag and makedist > > Do you happen to know any reason for keeping it that way or is this only > for > > historical reasons (maybe pear.php.net did not have proper cert or > > configured to accept traffic on 443 originally when the download process > was > > created) and should be ok to make this more secure(as it would prevent > MITM > > attacks). > > > > What do you think? > > I think nice catch *hat tip*. > > I'm pretty sure noone cared when this was written ~10 years ago -- we > didn't even have any certificate issued, not even CAcert at that > point. > > > -Hannes > I will change it to https in master, and if nobody complains about it after the next PHP7 beta/RC I will backport it to the lower branches. -- Ferenc Kovács @Tyr43l - http://tyrael.hu
