[isabelle-dev] Use HTTPS for components

Lars Hupel hupel at in.tum.de
Wed Jul 13 00:28:22 CEST 2016


Dear Isabelle developers,

all of the critical Isabelle infrastructure (even website mirrors) is
reachable via HTTPS. For Jenkins, it's not so important. For executable
code, it is very important. Hence I would like to propose a simple
change in the global "etc/settings":

-ISABELLE_COMPONENT_REPOSITORY="http://isabelle.in.tum.de/components"
+ISABELLE_COMPONENT_REPOSITORY="https://isabelle.in.tum.de/components"

Because we don't sign components, we should at least make them available
over HTTPS. This is the bare minimum according to security best practices.

Potential disadvantage: Fetching from HTTPS using Perl's libwww requires
an addon package ("LWP-Protocol-https").

Potential remedy: Switch to curl for fetching components
- readily available everywhere
- less Perl required

(Note that it appears that that specific Perl addon is not available
under Cygwin.)

I don't think we should let shortcomings of some Perl module dictate a
lack of security.

Cheers
Lars


More information about the isabelle-dev mailing list