I understand since there is no login information being sent to
plugins.netbeans.org, that security is less of a concern, but this is a
front facing website.  It is not just used by the IDE.  Browsers are going
to start yelling at us when we go to any http site (as I personally think
they should be).  Call me paranoid, but I think the trend toward 100% of
web traffic being TLS encrypted is a good one.  Also if plugins.netbeans.org
upgrades to HTTP2, it MUST be TLS then.

On Tue, Sep 25, 2018 at 1:04 PM Antonio <anto...@vieiro.net> wrote:

> Hi Kenneth,
>
> I don't think there's any security related problem here. The Apache
> Mirror System, for instance, uses "http" frequently. IMHO there's no
> need to encrypt files that are publicly available for everyone to see.
>
> Security is on the IDE side: verifying that the downloaded file has not
> been modified while on transit, either by using a PGP signature or other
> digesting techniques, as the ASF guidelines mandate.
>
> Cheers,
> Antonio
>
> El 25/09/2018 a las 18:55, Kenneth Jaeger escribió:
> > The plugins.netbeans.org does not use https by default, nor does it
> allow
> > https.  An error occurs if you try to change it to https.
> >
> > The updates.netbeans.org site does allow the use of https, but does not
> > redirect to https if http is used.
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@netbeans.incubator.apache.org
> For additional commands, e-mail: dev-h...@netbeans.incubator.apache.org
>
> For further information about the NetBeans mailing lists, visit:
> https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
>
>
>
>

Reply via email to