[PD-dev] moving to git
Chris McCormick
chris at mccormick.cx
Tue Oct 20 05:52:17 CEST 2015
Hi,
On 19/10/15 17:48, Roman Haefeli wrote:
> On Fri, 2015-10-16 at 19:45 +0000, Jonathan Wilkes wrote:
>> If you do that over http then you don't have any way of knowing
>> whether the data that you requested is the data that you get back.
With HTTPS you also don't know that.
HTTPS changes the trust/threat model but it is not magic. You still
don't know if the data you requested is the data you get back (server
compromise, SSL bugs, etc).
Of course I agree completely with Jonathan's point that HTTP requests
should be made through an encrypted connection wherever possible.
> What IOhannes did - signing tags - tackles this very issue the single
> best way, if I understand the issue correctly.
Another alternative is to obtain the SVN checkout and the git checkout
of the particular external you want to build and compare them with e.g.
recursive diff.
As always, the best possible thing is to review the code to ensure it
does not contain any bugs or malicious code.
Cheers,
Chris.
--
http://mccormick.cx/
More information about the Pd-dev
mailing list