Always use HTTPS.

[glyph]

Although the hash is compared exactly, it is still useful to have belt-and-suspenders security (this also keeps what exactly is being requested from packagecontrol.io confidential, and whose business on the network is it other than the recipient's?).

[wbond]

This is not possible since Linux does not ship with the _ssl module. Otherwise I would have started using TLS a long time ago.

[glyph]

Gotcha. Would you consider a slightly more convoluted expression that would discover SSL support if the platform has it, and use it when possible?

[glyph]

(I had figured it might be something like this, since clearly the hash-verification meant you'd done some thinking about the security implications here...)

[wbond]

It isn't possible to do a single line try/except in Python, is it?

We'd probably have to import os or sys and switch to https:// when not Linux.

[glyph]

It isn't possible to do a single line try/except in Python, is it?

No, not syntactically. By dark and terrible sorcery something equivalent may be accomplished but I want to make sure that it's worth doing before I attempt to harness that malign power.

[wbond]

Working on getting ssl bundled with ST3 on Linux. After that is in a beta release, we can update the ST3 directions, at the least.

[wbond]

Dev build 3109 on Linux has OpenSSL statically linked. Once we get an ST3 beta build out with OpenSSL statically linked on all platforms, then we can change the directions for ST3 to always use TLS.

[glyph]

Thanks for the update, this is really cool to hear!

[wbond]

As of 0c05b89b726e67b505ffb5433ddfca8d746ca992, the installation docs point users to the command built into Sublime Text that uses https when possible (it falls back to http if necessary). That command more importantly verifies the package using public key cryptography.