[clug] How you know your Free or Open Source Software Project is doomed to FAIL

Paul Harvey csirac2 at gmail.com
Thu Jul 30 01:32:19 UTC 2015

On 30 July 2015 at 11:16, Michael Cohen <scudette at gmail.com> wrote:
> I'm sorry I fail to understand how this is any worst than hosting your
> installer on plain HTTP. Piping a curl installer to shell is not better or
> worse than distributing your software on plain HTTP or downloads.com or
> something.

I suppose what you're getting at is that https makes no guarantees
about the original code you're trying to download: the original code
may itself be hostile, and so no amount of transport layer security
will change anything.

But this ignores problems at the connection/network transport layer.
Which is not incompatible with the fact that most Linux distros still
rely on plain http mirrors (so as not to break proxy caches); but they
still have PGP and friends to validate delivered files.

Surely https, warts and all, allows for at least slightly better
hygiene than blind faith in your physical network and http.

More information about the linux mailing list