[144262] trunk/dports/lang/py-htmldocs/Portfile
Russell Jones
russell.jones at physics.ox.ac.uk
Thu Jan 7 02:53:00 PST 2016
On 06/01/16 23:44, Ryan Schmidt wrote:
> On Jan 6, 2016, at 4:44 AM, Russell Jones wrote:
>
>> I was thinking you might use git+https://github.com/python/cpython.git/Doc with a set checkout id using the GitHub PortGroup, but that would require building the docs.
>>
>> How about using https://docs.python.org and relying on python.org's SSL cert to ensure the integrity rather than the MacPorts checksum?
> An SSL certificate does not guarantee the user is getting the same files the maintainer did. It only guarantees the user is talking to the same server. The server could be compromised, or (as is the case here) the developers could issue stealth updates.
>
Sure. It's just better than using http at making an MITM attack harder
(though not impossible, as Daniel points out), which was the original
objection. Better to do it right, though, definitely.
On Daniel's point: checking an SSL cert provides a guarantee from some
certificate issuer, given a competent sysadmin, etc, that the host name
matches it. Do you have some reason to think there are issuers in the
root certificate list that would issue bogus python.org certs? Or are
you talking about a cert being stolen? I'm not sure what you mean by
"just ... valid".
Russell
More information about the macports-dev
mailing list