On 16 February 2018 at 07:20, Heiko L. <[email protected]> wrote: > A user should be able to decide for himself whether to use HTTP or HTTPS.
No, as without any other form of package or metadata signing, we're currently relying heavily on transport layer security to ensure that the information that the server sends is the information that the end user receives. Any access over HTTP can be transparently intercepted and altered to include a malicious payload (and there were a number of in-the-wild proofs-of-concept for this when using shared wireless networks before the service switched to HTTPS only). Regards, Nick. -- Nick Coghlan | [email protected] | Brisbane, Australia _______________________________________________ Distutils-SIG maillist - [email protected] https://mail.python.org/mailman/listinfo/distutils-sig
