Jakob Egger wrote:
> is there currently a secure way to download the libssh2 source?
You can use:
https://git.libssh2.org/libssh2.git
https://trac.libssh2.org/
..if you trust CAcert.
> GPG signatures don't really help when they are also hosted on an
> unsecure server.
A GPG signature (like a cert) only tells you anything if you have
established a trust relationship with the key. If you don't have any
way to trust the key then the signature (and cert) tells you nothing.
> If missing HTTPS support is related to cost, I can offer to pay for
> an SSL certificate.
If you want to go ahead with this I could send you a CSR which
includes {trac,git}.libssh2.org, but there would also be other names
in there, since the same IP is used for serving multiple things.
(All of which are non-commercial.)
Daniel Stenberg wrote:
> Personally, I wouldn't mind switching over to hosting the source code repo
> at github
> All in the name of going where there's already a large amount of
> users, it brings features and it encourages and simplifies collaboration
> even further. Do it "like the kids do".
Since when was being mainstream ever a good thing?
GitHub Inc. is a privately held company in the USA. I don't see how it
could be beneficial in any way for the project to give up its independence.
> And it makes the infrastructure less dependent on individual volunteers.
If we had been having lots of problems with the infrastructure I agree
that this would have been a good argument. But I don't think that we've
had so many problems that we need a change.
>> If missing HTTPS support is related to cost, I can offer to pay for an SSL
>> certificate.
>
> It is related to cost, but not strictly the price for the certificate but
> even more so the effort and maintenence cost in time and energy.
Please speak for yourself. The time for me to generate a new key and
exchange the cert is negligible.
> Hence I would prefer to use an existing (and proven) infrastructure for it.
Our system with Trac, gitweb and git-daemon does https since 2012, so
both existing and proven. :)
> My slightly longer term plan is to jump on the letsencrypt.com bandwagon
> once that goes live and offer HTTPS for libssh2.org (and all other sites I
> host) from then on.
FWIW I think that could be a fine plan. It's an interesting project
and I might also jump on, but probably not right away.
//Peter
_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Received on 2015-03-04