Bug#893162: ITP: libhsts -- library for checking HSTS preload list
Trent W. Buck wrote:
> Daniel Kahn Gillmor wrote:
> > AIUI, future versions of wget will want to use something like libhsts
> > to improve communications security for the user.
>
> Note that (AFAIK):
>
> 1. wget2 1.99 (in Debian 11) uses internal code to generate a persistent ~/.wget-hsts.
> This does not require libhsts or any preload file (#893159).
> It means if you do
>
> wget2 http://google.com
> wget2 http://google.com
>
> The second call will remember HSTS learnt from the first one.
> This is better than nothing.
>
> 2. libhsts IS the code from wget2.
> It was spun out into a separate library so wget1 could also use it.
>
> 3. wget2 2.00 (releasing this week) needs libhsts;
> the functionality is no longer bundled as it was in 1.99.
>
> Without libhsts, wget2 2.00 can be built and packaged, but
> ~/.wget-hsts will be ignored (i.e. A REGRESSION!)
>
> On that basis, I don't think #893159 should block #893162, since
> ~/.wget-hsts is useful even without a chromium preload file.
Sorry, apparently I was wrong.
16:24 <rockdaboot[m]> HSTS Handling is done internally. Libhsts only is for preloading HSTS rules (normally taken from Chromium)
Reply to: