Sam, Ryan, I, and others have been moving Racket services to HTTPS: https://racket-lang.org/
We're changing all references to use HTTPS, so if you go to "http://racket-lang.org" (no "s"), the "Download" link takes you to "https://download.racket-lang.org/". The default download button on that page similarly points to "https://mirror.racket-lang.org/". We have not yet started enforcing HTTPS on any of our pages, either through a redirect from "http://" to "https://" or through HSTS. We want to gain more confidence in our setup before taking that step. Packages and catalog: You can set "https://pkgs.racket-lang.org/" as your package catalog, and we've made that the default for the next release. Beware, however, that `raco pkg` in v6.3 and earlier does not actually make a secure connection for HTTPS references (because it doesn't validate the server's certificate); we've fixed that for the next release. With the development version of Racket, if you want to use an insecure HTTPS reference for some reason with `raco pkg` (e.g., to a server with a self-signed certificate), set the `PLT_PKG_SSL_NO_VERIFY` environment variable. General security note: Except for "https://mirror.racket-lang.org", HTTPS content is provided via CloudFlare from an HTTP (not HTTPS) access of S3. So, you can only trust the content of "https://pkgs.racket-lang.org" to the degree that you trust Amazon, CloudFlare, and the channel between them to provide the data that we put on S3. We may eventually strengthen the channel between our data (especially package metadata) and HTTPS services, but we're not working on that right now. -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to racket-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.