I suppose most http: strings are in documentation. On 10 February 2025 08:36:18 GMT-06:00, Michael Orlitzky <mich...@orlitzky.com> wrote: >On 2025-02-10 10:43:37, Georgi Guninski wrote: >> Downloading and running code over unencrypted channels like 'http://' >> is dangerous from security point of view. > >There's a sha256 hash in each build/pkgs/<package>/checksums.ini. So >long as the developer who commits checksums.ini has either (a) >verified the upstream signature or (b) used a secure channel, the >channel eventually used by the user doesn't matter too much. > >(I doubt that anyone is actually doing this for http:// tarballs, but >there is a solution for this problem.) >
-- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to sage-devel+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/sage-devel/8C286786-3418-4661-ADD1-4490EFF9459A%40gmail.com.
