[Pkg-julia-devel] openlibm 0.5.4-1 and julia 0.4.7-1

Peter Colberg peter at colberg.org
Thu Sep 22 04:31:24 UTC 2016


On Wed, Sep 21, 2016 at 06:07:29PM +0200, Graham Inggs wrote:
> Excuse my naïveté, but why can't we use an unencrypted transport, as
> in previous versions?

The default URL for the package metadata, Pkg.METADATA has been
switched from git:// to https:// in 0.5. Currently METADATA contains
72 packages with https:// urls (and 1084 with git:// urls).

TLS ensures (partially) the integrity of the package metadata when
transferred from github to the user’s machine, which is vital in
today’s Internet. Given the large set of ca-certificates trusted by
default, there is still potential for malice; but at the least TLS
makes it non-trivial for intermediate networks to inject code.

Of course it would be preferable if the package metadata were signed,
which seems quite feasible given that it is curated by a small team.

Peter



More information about the Pkg-julia-devel mailing list