Arch Linux

https://curl.haxx.se/download/curl-7.50.3.tar.xz make it download the xz tarball

edit: it seems that he forgot to make a signature for the xz one

There is zero gain in doing this given we verify the PGP signature and ensure it comes from a key with specific PGP fingerprint.

Allan - wrong, that's a strange answer. There is zero gain in arguing about the change, rather than just making it.

HTTPS is much more secure than HTTP.

The curl PKGBUILD downloads the source, verifies its PGP signature and ensures that signature comes from the upstream developers key.

How does https improve on this? If a malicious party has got a copy of the developers signing key, using https is not going to save you.

That's like saying - I have a doberman in my house, therefore I don't need to lock my front door. It would be far more sensible to lock the front door.

HTTPS is a great security improvement over HTTP. It's another layer to use, since security is built on layers.

"using https is not going to save you" is missing the point. HTTPS is a useful layer of security, so use it, rather than trying to think up unlikely scenarios in which it wouldn't have helped. There are other scenarios in which it *can* help.

we can have both, security and privacy. the change to https will only benefit us. the goal is to make it impossible or as difficult as possible to have security and privacy problems with the least amount of work.

I have not thought up an unlikely scenario where it would not help. I provided the current state of affairs and pointed out we gain nothing.

I have yet to be provided with an example of how this is an actual improvement and not busy work.

OK, since you insist, here's a scenario:

Security researchers find a vulnerability in PGP.

The flaw in your argument is that you are assuming that PGP is 100% secure. *Nothing* is 100% secure, which is why security is built upon layers.

some things are busy work, security and privacy are not.

it is for the same reasons we use openpgp software.

there is no need to play with our luck. this is about best security practices.

https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)

your country allan is a five eyes member. also, i have seen that many archlinux team members, including you, connecting to freenode without using tls with certificate verification with irc clients that support both. it should be a rule for all team members to connect using those always.

https is one of the things that we can use to protect ourselves. it would be stupid not to use it.

Please stop filling my inbox with garbage. It's a reasonable request, and it'll happen on the next curl release.

To the reporter, you'd be far less insufferable if you hadn't picked such a combative username. You're not a martyr, you haven't been wronged, and I'm disabling your account for the delicious irony. Please create a new one with a less antagonistic name.

good.

of course i was wronged. why am i still in the ban list of the irc channels? i am not a troublemaker, and i have not been in the channels since the time i was banned. i could have easily done something to be in the channels again. i never did.

you are the one who is combative and negative. we could have talked on irc. you did not reply. that is why this task had to be added.

i chose that username because once an account is disabled it becomes impossible to comment and to add tasks with it, not because of your mistaken belief that i think of myself as a 'martyr' and that i want to fight all of you. i want us to work together, not against each other.

do not jump to conclusions next time dave.

i talked with a curl dev. i was told that xz compression will not be used again. use the lzma file.