Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:87322
Return-Path: <tyra3l@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 2100 invoked from network); 27 Jul 2015 16:27:25 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 27 Jul 2015 16:27:25 -0000
Authentication-Results: pb1.pair.com smtp.mail=tyra3l@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=tyra3l@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.43 as permitted sender)
X-PHP-List-Original-Sender: tyra3l@gmail.com
X-Host-Fingerprint: 209.85.215.43 mail-la0-f43.google.com  
Received: from [209.85.215.43] ([209.85.215.43:33921] helo=mail-la0-f43.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id A1/92-17059-AEB56B55 for <internals@lists.php.net>; Mon, 27 Jul 2015 12:27:23 -0400
Received: by lafd3 with SMTP id d3so42039272laf.1
        for <internals@lists.php.net>; Mon, 27 Jul 2015 09:27:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=h6cYL/p2FpX5+K/AtrMs2mtL5fH5FhfxW7WpayhsCUM=;
        b=yUyOBMnQ4odr0czrNGCIebzOEo5vO858glS7QhoW7pnwn+Fpu8XYoaloeXKxVsyms1
         Gp4S8crI/zqzGpj6A6U4qIpWvog0aCp2v53TZt1NTeUvHwoPltzIvrcVHDOYhrPmV7Yt
         lDFJ0PIU67uLh7i524KG6nJZ3lBBqCWJ6ITiyrcdou67FANCQ+vKPvIgCKMj7THlMMh6
         UCp04m8wOe3DE/F9f7he7lJ5mpGi+CsOVJyAy6JSloTgPc9VNtq6HR7T9G57wVUldB61
         BAQYirH9is773ovdqry6GEn7OZ1pfv4sgJsInIXZpgLarScSfbllUWBgy5py3FdZrPjU
         FcEQ==
MIME-Version: 1.0
X-Received: by 10.112.210.6 with SMTP id mq6mr10469898lbc.83.1438014439592;
 Mon, 27 Jul 2015 09:27:19 -0700 (PDT)
Received: by 10.152.43.105 with HTTP; Mon, 27 Jul 2015 09:27:19 -0700 (PDT)
In-Reply-To: <CADNQb0Uu3-rvR-cX-JaRyqui7fPEeasD2=nSo++1BKUxd2VZOw@mail.gmail.com>
References: <CAH-PCH41UgBmJkvORS-7j5EETcxzkOCqrCX+h6mBvXZZDPaaUA@mail.gmail.com>
	<CADNQb0Uu3-rvR-cX-JaRyqui7fPEeasD2=nSo++1BKUxd2VZOw@mail.gmail.com>
Date: Mon, 27 Jul 2015 18:27:19 +0200
Message-ID: <CAH-PCH6-55CGzMV9LGW+LH5Z=tWzU7Hf19YHtmmLM8A6uH1h4g@mail.gmail.com>
To: Hannes Magnusson <bjori@php.net>
Cc: PHP Internals <internals@lists.php.net>, Stanislav Malyshev <stas@php.net>, julien pauli <jpauli@php.net>, 
	Kalle Sommer Nielsen <kalle@php.net>, Anatoliy Belsky <ab@php.net>
Content-Type: multipart/alternative; boundary=001a11c3cc6eda9938051bddd3ce
Subject: Re: use https when downloading the pear installer
From: tyra3l@gmail.com (Ferenc Kovacs)

--001a11c3cc6eda9938051bddd3ce
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On Mon, Jul 27, 2015 at 5:46 PM, Hannes Magnusson <bjori@php.net> wrote:

> On Mon, Jul 27, 2015 at 12:32 AM, Ferenc Kovacs <tyra3l@gmail.com> wrote:
> > Hi,
> >
> > I've just realized that even thought https://pear.php.net/ is
> available, we
> > are still downloading the install-pear-nozlib.phar via http:// in
> > pear/Makefile.frag and makedist
> > Do you happen to know any reason for keeping it that way or is this onl=
y
> for
> > historical reasons (maybe pear.php.net did not have proper cert or
> > configured to accept traffic on 443 originally when the download proces=
s
> was
> > created) and should be ok to make this more secure(as it would prevent
> MITM
> > attacks).
> >
> > What do you think?
>
> I think nice catch *hat tip*.
>
> I'm pretty sure noone cared when this was written ~10 years ago -- we
> didn't even have any certificate issued, not even CAcert at that
> point.
>
>
> -Hannes
>

I will change it to https in master, and if nobody complains about it after
the next PHP7 beta/RC I will backport it to the lower branches.

--=20
Ferenc Kov=C3=A1cs
@Tyr43l - http://tyrael.hu

--001a11c3cc6eda9938051bddd3ce--