[isabelle-dev] Use HTTPS for components
Makarius
makarius at sketis.net
Wed Jul 13 15:50:24 CEST 2016
On 13/07/16 00:28, Lars Hupel wrote:
>
> Because we don't sign components, we should at least make them available
> over HTTPS. This is the bare minimum according to security best practices.
>
> Potential disadvantage: Fetching from HTTPS using Perl's libwww requires
> an addon package ("LWP-Protocol-https").
>
> Potential remedy: Switch to curl for fetching components
> - readily available everywhere
> - less Perl required
>
> (Note that it appears that that specific Perl addon is not available
> under Cygwin.)
At that time (around 2012) there were the following options to download
http material: perl, wget, curl.
I used perl for nostalgic reasons: in the past it used to be the
ultra-portable "Larry Wall Meta-Operating System" that worked without
further ado on all platforms.
This is no longer the case. We also see strange fragmentation into perl
packages and sub-packages. Maybe we need a docker container just for one
big Perl :-(
Anyway, I will take another look at curl. It seems to be universally
available on all platforms now, with very similar versions and
installation options.
Makarius
More information about the isabelle-dev
mailing list