On Wed, Oct 25, 2017 at 6:12 PM, Emmanuel Charpentier <emanuel.charpent...@gmail.com> wrote: > During the > [discussion](https://groups.google.com/d/msg/sage-devel/fE45025Wphs/mKdCAeNhAgAJ) > of the inclusion of OpenSSL, a few remarks were mafdeabout the security of > our distribution infrastructure. > > > It has been noted that http is ridiculously easy to hijack, and some have > remarked that this potential threat also applied to the http downloads from > our mirrors. > > I think we should consider this issue, an plan to post (Real Soon Now) a > call for discussion about this. What is the relevant list ? > > Others remarked that a non-SSL-enabled pip, which impedes, for example, > downloading from Pipy, sort-of enhanced security by suppressing a possible > source of attack. No comments... > > I have a few questions : > * Would it be difficult/onerous/cumbersome to ask our mirrors to switch to > https-only service ? > * Would such a measure significantly lower the possibility of attacks of a > Sage user/developer machine via "http hijacking" ? > * what is the likelihood of such an attack ?
Very low, but I would still be +1 on switching to HTTPS for mirrors and SHA-256 hashes for packages (the latter especially). -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to sage-devel+unsubscr...@googlegroups.com. To post to this group, send email to sage-devel@googlegroups.com. Visit this group at https://groups.google.com/group/sage-devel. For more options, visit https://groups.google.com/d/optout.