Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:87321 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 97178 invoked from network); 27 Jul 2015 15:46:30 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 27 Jul 2015 15:46:30 -0000 Authentication-Results: pb1.pair.com smtp.mail=hannes.magnusson@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=hannes.magnusson@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.169 as permitted sender) X-PHP-List-Original-Sender: hannes.magnusson@gmail.com X-Host-Fingerprint: 209.85.217.169 mail-lb0-f169.google.com Received: from [209.85.217.169] ([209.85.217.169:35161] helo=mail-lb0-f169.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 0F/12-17059-25256B55 for ; Mon, 27 Jul 2015 11:46:27 -0400 Received: by lblf12 with SMTP id f12so56347515lbl.2 for ; Mon, 27 Jul 2015 08:46:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=iEIYP7lNRZmKA0tBr2t6JCNZBV1OJTPTxF5HdmoBWhw=; b=OVxypCGzw/ZRLGgbGKpnQApYibFLLMqpgeQ5omL2gF3kYtTTw4u4XKIZzRY8cvk6yC nAJ+fxfXLltpFvqWQrfWzfY9mdQrHnokvz5dYEgOyx59p+nuKJMo/WhjRbWk4QOrLVnZ pp1ib3HY9EZnB/B6eclRV4i1jg3Ir3GzxbHAWF8qGiB7X8KGBqQVOf0hmRZDh3Gb0aPm upHBmhPY4wcVT/r8awiY022cbzHo+yBP8hFGoYecxmJ4Vi2p6Adbet7BQPh3ClvsN52l 9O6hKX3GBKFxtZ48d7iGoi5I9CwB1Qq2QaMzzURJ+xIAn61PG1gmywwTOz9c5NDkDrHj On0A== MIME-Version: 1.0 X-Received: by 10.152.36.226 with SMTP id t2mr27653548laj.6.1438011983563; Mon, 27 Jul 2015 08:46:23 -0700 (PDT) Sender: hannes.magnusson@gmail.com Received: by 10.25.213.213 with HTTP; Mon, 27 Jul 2015 08:46:23 -0700 (PDT) In-Reply-To: References: Date: Mon, 27 Jul 2015 08:46:23 -0700 X-Google-Sender-Auth: ewAzQsz230IT9-jvYOp82_F1aeM Message-ID: To: Ferenc Kovacs Cc: PHP Internals , Stanislav Malyshev , julien pauli , Kalle Sommer Nielsen , Anatoliy Belsky Content-Type: text/plain; charset=UTF-8 Subject: Re: use https when downloading the pear installer From: bjori@php.net (Hannes Magnusson) On Mon, Jul 27, 2015 at 12:32 AM, Ferenc Kovacs wrote: > Hi, > > I've just realized that even thought https://pear.php.net/ is available, we > are still downloading the install-pear-nozlib.phar via http:// in > pear/Makefile.frag and makedist > Do you happen to know any reason for keeping it that way or is this only for > historical reasons (maybe pear.php.net did not have proper cert or > configured to accept traffic on 443 originally when the download process was > created) and should be ok to make this more secure(as it would prevent MITM > attacks). > > What do you think? I think nice catch *hat tip*. I'm pretty sure noone cared when this was written ~10 years ago -- we didn't even have any certificate issued, not even CAcert at that point. -Hannes