It is not hardcoded: you can change the central host and relay with a
simple commandline option.
$ wormhole --help | grep -B1 'to use'
Options:
--relay-url URL rendezvous relay to use
--transit-helper tcp:HOST:PORT transit relay to use
This could, arguably, be done in a configuration file to facilitate
using third party servers, but this can hardly be considered
hardcoded. Anyways, if the current main host goes down, I assume the
software can/will be patched to provide other hosts as options.
Keep in mind transfers are ephemeral: the central hosts are used only to
establish contact and transfer the file, then everything is torn down.
>> We still ship FTP daemons that serve files without passwords and use
>> cleartext by default.
>
> They're not labeled "secure" though ;)
Actually, quite a few are:
I agree it is somewhat of an empty word, but it shouldn't be considered
reason enough to keep stuff from entering Debian, because then you'd
have a *lot* of packages to kick out the archive. Heck, "apt search
secure" suggests I installed zendframework, and we know how scary PHP
security has been in the past. ;)
> Just to clarify, I never objected to the package itself, just that I
> wasn't sure about it being called "secure". I don't know enough about
> the algorithms and attack surfaces involved to make any kind of
> qualified statement though, so maybe it does qualify as secure.
Well, I am not a cryptographer myself, so I can't comment about the
algorithm. But I am somewhat familiar with such protocols and I found
they brought a novel and robust system in place, that has similar
robustness properties than existing protocols (e.g. Oauth with a
digit-only PIN) with interesting enhancements that make it fail more
gracefully (abort transfer after first failed attempt).
May I suggest that, if you do not know enough about security protocols,
you refrain from discouraging people, that do have some knowledge about
them, from packaging software into Debian? :)