There's an interesting one in ./build/sage_bootstrap/download/mirror_list.py: URL = 'http://www.sagemath.org/mirror_list'
which would probably be better as https. Because of the checksums I don't think there's much direct risk from it, but it does open up sage-generated traffic to theoretical MITM attacks. DNS interceptions (which are outside of sage's control) are likely much more dangerous, but why not use https:// instead? Scanning through the other ones, I think they are all in copyright banners and documentation. Note that http://www.sagemath.org/ redirects to https://www.sagemath.org/ anyway, so changing this to https:// shouldn't reduce any compatibility/functionality and would remove one possible MITM operation (with uncertain effects). On Monday, 10 February 2025 at 09:29:01 UTC-8 Georgi Guninski wrote: > On Mon, Feb 10, 2025 at 5:38 PM Dima Pasechnik <dim...@gmail.com> wrote: > > > > I suppose most http: strings are in documentation. > > > > I think this is not the case. > The original command skips sagemath via `grep -v -w sagemath` > > On an empty tree: > $grep -E -r "http://www.sagemath|http://sagemath"; /tmp/sage-10.5/| wc -l > 87 > -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to sage-devel+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/sage-devel/36d09617-6e22-4a7d-b13a-6e51e6045793n%40googlegroups.com.
