[144262] trunk/dports/lang/py-htmldocs/Portfile

Russell Jones russell.jones at physics.ox.ac.uk
Thu Jan 7 02:53:00 PST 2016



On 06/01/16 23:44, Ryan Schmidt wrote:
> On Jan 6, 2016, at 4:44 AM, Russell Jones wrote:
>
>> I was thinking you might use git+https://github.com/python/cpython.git/Doc with a set checkout id using the GitHub PortGroup, but that would require building the docs.
>>
>> How about using https://docs.python.org and relying on python.org's SSL cert to ensure the integrity rather than the MacPorts checksum?
> An SSL certificate does not guarantee the user is getting the same files the maintainer did. It only guarantees the user is talking to the same server. The server could be compromised, or (as is the case here) the developers could issue stealth updates.
>
Sure. It's just better than using http at making an MITM attack harder 
(though not impossible, as Daniel points out), which was the original 
objection. Better to do it right, though, definitely.

On Daniel's point: checking an SSL cert provides a guarantee from some 
certificate issuer, given a competent sysadmin, etc, that the host name 
matches it. Do you have some reason to think there are issuers in the 
root certificate list that would issue bogus python.org certs? Or are 
you talking about a cert being stolen? I'm not sure what you mean by 
"just ... valid".

Russell


More information about the macports-dev mailing list