Re: HTTPS in DEP-5

To: debian-devel@lists.debian.org
Subject: Re: HTTPS in DEP-5
From: Bas Wijnen <wijnen@debian.org>
Date: Sun, 6 Mar 2016 21:30:08 +0000
Message-id: <[🔎] 20160306213008.GD2926@spark.dtdns.net>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 1457295229.3590.2.camel@decadent.org.uk>
References: <[🔎] 20160306183557.GA5881@jwilk.net> <[🔎] 20160306191935.GC2926@spark.dtdns.net> <[🔎] 1457295229.3590.2.camel@decadent.org.uk>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sun, Mar 06, 2016 at 08:13:49PM +0000, Ben Hutchings wrote:
> On Sun, 2016-03-06 at 19:19 +0000, Bas Wijnen wrote:
> > On Sun, Mar 06, 2016 at 07:35:57PM +0100, Jakub Wilk wrote:
> > > 
> > > So, what we're going to do about it? I see the following options:
> > > 
> > > B) Fix the spec to allow the HTTPS URL; fix the HTTP-only consumers.
> > That.  Https is good for our users.  Even if the effect of this change is very
> > minor, we should show them that it should be the default everywhere.
> 
> The use of the 'http:' scheme in a format identifier has nothing to do
> with the protocol used to find information about the format.

I disagree.  While your statement is correct in terms of the file format, there
is more to it.  DEP-5 files are intended to be human readable.  This magic line
isn't only a token to detect that the format is used; it is also a link to the
format definition.

> You might as well advocate for changing the URLs used to identify XML
> namespaces to use the 'https:' scheme, and with the same effects on
> compatibility (negative) and security (none whatsoever).

When you follow those URLs, you see machine-readable files that may also be
semi-readable for humans.  Not something that is intended for human readers.
Those URLs really are just for defining the standards version; the DEP-5 line
is also a link to documentation.

Thanks,
Bas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJW3KFfAAoJEJzRfVgHwHE61QAQAJ+TxXVLFUgZc/j7Lmxhkji1
8IQRqyYcRu1LQLN0szxd1uPNFNBxEQjuZs27yg/8GNTUXbGT6xazL0GWPLLz/iVr
XX+iBAz1Y1WnpbcCslr9GOCFK76gI2ogl7R0o5AJA2Lw+PXlAzB9AXdQWfm0Z9f6
GOTwqdox3SLvGhT3RdXtGMzfv4m0+uAiTLvPfWMqV9XlmqQTZM/kAvvGdc8iyz8u
5BEeZOw2bOPWPse3WSS4R+S5YpI2ULxghKS6YX3+7HuXkCKw/o8wtp2D5J1539jz
zAsWm83mTxzC6F9nBeC6cfLKZb7xYa4R6NsNIY74I2HQC4viw3iIwZA6QltaQBli
UGdiQX9wXEfIFLPKOPCiWW0TlAcGqthZHxj2ejykODSIoNP5PKoLc+u36gs2VwnJ
2YrAwzC4cj3neNNv0+fcmfyCBOedc3P9VCA/5C0oOpVNSAPKhYwjy8DQdCSq8uRN
MkgkbM+cJEJXP8aTWRf8ucFfWofk8aunn031ZRPYaGAXV/hKEtVQFOEsXDSj46a3
cu6bZIy2dcv7jPTblOwJYhEUwvux0+/A5nYFPa6WwjUEPR+aanMPS8nMe3nhMc/e
kwSbvZ6Ar0l3qp6s6BQxO9I1kZ9loh9beGzHa2zcoSnxy3efFoKs/546EX6FnWjB
41+9B6NF/Y9Bo2vjQ9V8
=H4vA
-----END PGP SIGNATURE-----

Reply to:

References:
- HTTPS in DEP-5
  - From: Jakub Wilk <jwilk@debian.org>
- Re: HTTPS in DEP-5
  - From: Bas Wijnen <wijnen@debian.org>
- Re: HTTPS in DEP-5
  - From: Ben Hutchings <ben@decadent.org.uk>

Prev by Date: Bug#816969: ITP: python-motor -- Non-blocking MongoDB driver for Tornado or asyncio
Next by Date: Bug#816971: ITP: mockupdb -- MongoDB Wire Protocol server library
Previous by thread: Re: HTTPS in DEP-5
Next by thread: Bug#816958: ITP: broadcom-facetimehd -- dkms source for the Broadcom 1570 PCIe camera
Index(es):
- Date
- Thread