On 06/01/16 23:44, Ryan Schmidt wrote:
On Jan 6, 2016, at 4:44 AM, Russell Jones wrote:
I was thinking you might use git+https://github.com/python/cpython.git/Doc with
a set checkout id using the GitHub PortGroup, but that would require building
the docs.
How about using https://docs.python.org and relying on python.org's SSL cert to
ensure the integrity rather than the MacPorts checksum?
An SSL certificate does not guarantee the user is getting the same files the
maintainer did. It only guarantees the user is talking to the same server. The
server could be compromised, or (as is the case here) the developers could
issue stealth updates.
Sure. It's just better than using http at making an MITM attack harder
(though not impossible, as Daniel points out), which was the original
objection. Better to do it right, though, definitely.
On Daniel's point: checking an SSL cert provides a guarantee from some
certificate issuer, given a competent sysadmin, etc, that the host name
matches it. Do you have some reason to think there are issuers in the
root certificate list that would issue bogus python.org certs? Or are
you talking about a cert being stolen? I'm not sure what you mean by
"just ... valid".
Russell
_______________________________________________
macports-dev mailing list
[email protected]
https://lists.macosforge.org/mailman/listinfo/macports-dev
