[isabelle-dev] Use HTTPS for components

Makarius makarius at sketis.net
Wed Jul 13 15:50:24 CEST 2016

On 13/07/16 00:28, Lars Hupel wrote:
> Because we don't sign components, we should at least make them available
> over HTTPS. This is the bare minimum according to security best practices.
> Potential disadvantage: Fetching from HTTPS using Perl's libwww requires
> an addon package ("LWP-Protocol-https").
> Potential remedy: Switch to curl for fetching components
> - readily available everywhere
> - less Perl required
> (Note that it appears that that specific Perl addon is not available
> under Cygwin.)

At that time (around 2012) there were the following options to download
http material: perl, wget, curl.

I used perl for nostalgic reasons: in the past it used to be the
ultra-portable "Larry Wall Meta-Operating System" that worked without
further ado on all platforms.

This is no longer the case. We also see strange fragmentation into perl
packages and sub-packages. Maybe we need a docker container just for one
big Perl :-(

Anyway, I will take another look at curl. It seems to be universally
available on all platforms now, with very similar versions and
installation options.


More information about the isabelle-dev mailing list