Jakob Egger wrote: > is there currently a secure way to download the libssh2 source?
You can use: https://git.libssh2.org/libssh2.git https://trac.libssh2.org/ ..if you trust CAcert. > GPG signatures don't really help when they are also hosted on an > unsecure server. A GPG signature (like a cert) only tells you anything if you have established a trust relationship with the key. If you don't have any way to trust the key then the signature (and cert) tells you nothing. > If missing HTTPS support is related to cost, I can offer to pay for > an SSL certificate. If you want to go ahead with this I could send you a CSR which includes {trac,git}.libssh2.org, but there would also be other names in there, since the same IP is used for serving multiple things. (All of which are non-commercial.) Daniel Stenberg wrote: > Personally, I wouldn't mind switching over to hosting the source code repo > at github > All in the name of going where there's already a large amount of > users, it brings features and it encourages and simplifies collaboration > even further. Do it "like the kids do". Since when was being mainstream ever a good thing? GitHub Inc. is a privately held company in the USA. I don't see how it could be beneficial in any way for the project to give up its independence. > And it makes the infrastructure less dependent on individual volunteers. If we had been having lots of problems with the infrastructure I agree that this would have been a good argument. But I don't think that we've had so many problems that we need a change. >> If missing HTTPS support is related to cost, I can offer to pay for an SSL >> certificate. > > It is related to cost, but not strictly the price for the certificate but > even more so the effort and maintenence cost in time and energy. Please speak for yourself. The time for me to generate a new key and exchange the cert is negligible. > Hence I would prefer to use an existing (and proven) infrastructure for it. Our system with Trac, gitweb and git-daemon does https since 2012, so both existing and proven. :) > My slightly longer term plan is to jump on the letsencrypt.com bandwagon > once that goes live and offer HTTPS for libssh2.org (and all other sites I > host) from then on. FWIW I think that could be a fine plan. It's an interesting project and I might also jump on, but probably not right away. //Peter _______________________________________________ libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
