[Pkg-julia-devel] openlibm 0.5.4-1 and julia 0.4.7-1
Peter Colberg
peter at colberg.org
Thu Sep 22 04:31:24 UTC 2016
On Wed, Sep 21, 2016 at 06:07:29PM +0200, Graham Inggs wrote:
> Excuse my naïveté, but why can't we use an unencrypted transport, as
> in previous versions?
The default URL for the package metadata, Pkg.METADATA has been
switched from git:// to https:// in 0.5. Currently METADATA contains
72 packages with https:// urls (and 1084 with git:// urls).
TLS ensures (partially) the integrity of the package metadata when
transferred from github to the user’s machine, which is vital in
today’s Internet. Given the large set of ca-certificates trusted by
default, there is still potential for malice; but at the least TLS
makes it non-trivial for intermediate networks to inject code.
Of course it would be preferable if the package metadata were signed,
which seems quite feasible given that it is curated by a small team.
Peter
More information about the Pkg-julia-devel
mailing list