This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] Prefer https: for GNU and FSF URLs
- From: "Maciej W. Rozycki" <macro at imgtec dot com>
- To: Jonathan Nieder <jrnieder at gmail dot com>
- Cc: Paul Eggert <eggert at cs dot ucla dot edu>, GNU C Library <libc-alpha at sourceware dot org>
- Date: Thu, 5 Oct 2017 00:19:53 +0100
- Subject: Re: [PATCH] Prefer https: for GNU and FSF URLs
- Authentication-results: sourceware.org; auth=none
- References: <18cce39e-4a5a-27d8-a1ca-5ec45973088e@cs.ucla.edu> <alpine.DEB.2.00.1709291634040.12020@tp.orcam.me.uk> <20170929165905.GH19555@aiede.mtv.corp.google.com>
Hi Jonathan,
> > What's wrong with FTP, especially as given what you have stated it seems
> > useful for people beyond myself, and not merely (as it is in my case) for
> > convenience reasons?
>
> FTP is vulnerable to mitm in the same way as HTTP is.
Hmm, weren't the GPG signatures meant to address it? Though indeed the
keys I've seen used weren't particularly trustable, with very few if any
signatures attached, so that could be considered a failed attempt. OTOH
with HTTPS we need to trust the CA, which might be the single weak point.
Maciej