Closed glyph closed 4 years ago
This is not possible since Linux does not ship with the _ssl
module. Otherwise I would have started using TLS a long time ago.
Gotcha. Would you consider a slightly more convoluted expression that would discover SSL support if the platform has it, and use it when possible?
(I had figured it might be something like this, since clearly the hash-verification meant you'd done some thinking about the security implications here...)
It isn't possible to do a single line try/except
in Python, is it?
We'd probably have to import os
or sys
and switch to https://
when not Linux.
It isn't possible to do a single line try/except in Python, is it?
No, not syntactically. By dark and terrible sorcery something equivalent may be accomplished but I want to make sure that it's worth doing before I attempt to harness that malign power.
Working on getting ssl
bundled with ST3 on Linux. After that is in a beta release, we can update the ST3 directions, at the least.
Dev build 3109 on Linux has OpenSSL statically linked. Once we get an ST3 beta build out with OpenSSL statically linked on all platforms, then we can change the directions for ST3 to always use TLS.
Thanks for the update, this is really cool to hear!
As of 0c05b89b726e67b505ffb5433ddfca8d746ca992, the installation docs point users to the command built into Sublime Text that uses https when possible (it falls back to http if necessary). That command more importantly verifies the package using public key cryptography.
Although the hash is compared exactly, it is still useful to have belt-and-suspenders security (this also keeps what exactly is being requested from packagecontrol.io confidential, and whose business on the network is it other than the recipient's?).