Closed williamcroberts closed 7 years ago
williamcroberts
commented
7 years ago Sorry for closing-reopen, but when I force-pushed post close, I couldn't re-open the old PR... github is dumb sometimes. As long as you trust the git-repo (which I presume you do), then this would be equivalent to the old https + sha256 check.
eddelbuettel
commented
7 years ago I think I am just going to switch all curl http://... to curl https://... and call it a day. I am running CI remotely at Travis (and have no control over their systems) which pulls from remote GitHub repos.
williamcroberts
commented
7 years ago That would be fine since we assume the pull source to be trusted. I know why I initially did a sha256 check (comes from one of my projects), it's a random tarball nabbed from sourceforge and I've only reviewed and thus trust a very specific version of that library. Cheers, thanks for working with me on this, I just happened to notice it while reviewing this project :-P
Currently, grabbing the travis-tool.sh via http could be subject to http man-in-the-middle attacks.
Switch to grabbing travis-tool.sh via git over https.
Signed-off-by: William Roberts william.c.roberts@intel.com