[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#893162: ITP: libhsts -- library for checking HSTS preload list

Daniel Kahn Gillmor wrote:
> AIUI, future versions of wget will want to use something like libhsts
> to improve communications security for the user.

Note that (AFAIK):

  1. wget2 1.99 (in Debian 11) uses internal code to generate a persistent ~/.wget-hsts.
     This does not require libhsts or any preload file (#893159).
     It means if you do

         wget2 http://google.com
         wget2 http://google.com

     The second call will remember HSTS learnt from the first one.
     This is better than nothing.

  2. libhsts IS the code from wget2.
     It was spun out into a separate library so wget1 could also use it.

  3. wget2 2.00 (releasing this week) needs libhsts;
     the functionality is no longer bundled as it was in 1.99.

     Without libhsts, wget2 2.00 can be built and packaged, but
     ~/.wget-hsts will be ignored (i.e. A REGRESSION!)

On that basis, I don't think #893159 should block #893162, since
~/.wget-hsts is useful even without a chromium preload file.
Reply to: