Subject: Re: Download libssh2 source via HTTPS?

Re: Download libssh2 source via HTTPS?

From: Peter Stuge <peter_at_stuge.se>
Date: Wed, 4 Mar 2015 14:34:21 +0100

Jakob Egger wrote:
> is there currently a secure way to download the libssh2 source?

You can use:

https://git.libssh2.org/libssh2.git
https://trac.libssh2.org/

..if you trust CAcert.

> GPG signatures don't really help when they are also hosted on an
> unsecure server.

A GPG signature (like a cert) only tells you anything if you have
established a trust relationship with the key. If you don't have any
way to trust the key then the signature (and cert) tells you nothing.

> If missing HTTPS support is related to cost, I can offer to pay for
> an SSL certificate.

If you want to go ahead with this I could send you a CSR which
includes {trac,git}.libssh2.org, but there would also be other names
in there, since the same IP is used for serving multiple things.
(All of which are non-commercial.)

Daniel Stenberg wrote:
> Personally, I wouldn't mind switching over to hosting the source code repo
> at github

> All in the name of going where there's already a large amount of
> users, it brings features and it encourages and simplifies collaboration
> even further. Do it "like the kids do".

Since when was being mainstream ever a good thing?

GitHub Inc. is a privately held company in the USA. I don't see how it
could be beneficial in any way for the project to give up its independence.

> And it makes the infrastructure less dependent on individual volunteers.

If we had been having lots of problems with the infrastructure I agree
that this would have been a good argument. But I don't think that we've
had so many problems that we need a change.

>> If missing HTTPS support is related to cost, I can offer to pay for an SSL
>> certificate.
>
> It is related to cost, but not strictly the price for the certificate but
> even more so the effort and maintenence cost in time and energy.

Please speak for yourself. The time for me to generate a new key and
exchange the cert is negligible.

> Hence I would prefer to use an existing (and proven) infrastructure for it.

Our system with Trac, gitweb and git-daemon does https since 2012, so
both existing and proven. :)

> My slightly longer term plan is to jump on the letsencrypt.com bandwagon
> once that goes live and offer HTTPS for libssh2.org (and all other sites I
> host) from then on.

FWIW I think that could be a fine plan. It's an interesting project
and I might also jump on, but probably not right away.

//Peter
_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Received on 2015-03-04