I understand since there is no login information being sent to plugins.netbeans.org, that security is less of a concern, but this is a front facing website. It is not just used by the IDE. Browsers are going to start yelling at us when we go to any http site (as I personally think they should be). Call me paranoid, but I think the trend toward 100% of web traffic being TLS encrypted is a good one. Also if plugins.netbeans.org upgrades to HTTP2, it MUST be TLS then.
On Tue, Sep 25, 2018 at 1:04 PM Antonio <anto...@vieiro.net> wrote: > Hi Kenneth, > > I don't think there's any security related problem here. The Apache > Mirror System, for instance, uses "http" frequently. IMHO there's no > need to encrypt files that are publicly available for everyone to see. > > Security is on the IDE side: verifying that the downloaded file has not > been modified while on transit, either by using a PGP signature or other > digesting techniques, as the ASF guidelines mandate. > > Cheers, > Antonio > > El 25/09/2018 a las 18:55, Kenneth Jaeger escribió: > > The plugins.netbeans.org does not use https by default, nor does it > allow > > https. An error occurs if you try to change it to https. > > > > The updates.netbeans.org site does allow the use of https, but does not > > redirect to https if http is used. > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@netbeans.incubator.apache.org > For additional commands, e-mail: dev-h...@netbeans.incubator.apache.org > > For further information about the NetBeans mailing lists, visit: > https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists > > > >
