On 2025-02-10 10:43:37, Georgi Guninski wrote: > Downloading and running code over unencrypted channels like 'http://' > is dangerous from security point of view.
There's a sha256 hash in each build/pkgs/<package>/checksums.ini. So long as the developer who commits checksums.ini has either (a) verified the upstream signature or (b) used a secure channel, the channel eventually used by the user doesn't matter too much. (I doubt that anyone is actually doing this for http:// tarballs, but there is a solution for this problem.) -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to sage-devel+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/sage-devel/Z6oO4psiddmhxIrm%40mertle.
