• Fwd: Re: Scripts that run insecurely-downloaded code

    From Rebecca N. Palmer@21:1/5 to All on Sat May 2 11:20:02 2020
    The list seems to have lost this, as it doesn't appear at https://lists.debian.org/debian-security/2020/05/maillist.html.

    -------- Forwarded Message --------
    Subject: Re: Scripts that run insecurely-downloaded code
    Date: Fri, 01 May 2020 22:51:05 +0000
    From: Marcus Dean Adams <marcusdean.adams@protonmail.com>
    Reply-To: Marcus Dean Adams <marcusdean.adams@protonmail.com>
    To: Elmar Stellnberger <estellnb@elstel.org>, Rebecca N. Palmer <rebecca_palmer@zoho.com>, debian-security@lists.debian.org



    It's better than nothing. Even if somebody were using self signed
    certificates that aren't publicly trusted, the information would still
    be encrypted in transit. Whether the other end is trustworthy is another
    issue and up to the user and package maintainers to decide, but it
    would, at the very least, make it more difficult for a third party to manipulate the information between the intended endpoints. Since pretty
    much anybody can get a free SSL/TLS certificate from LetsEncrypt, even
    for your personal home network, for the majority of use cases there's
    really no reason to use unencrypted http any more.

    I digress, I'm going on a rant. I just wanted to state that I understand
    the OP's concerns. I would start by just emailing the developers/package maintainers for the project personally. I'm a firm believer with most
    things in life that if you have a problem, you handle them at the lowest possible level first and only escalate if necessary.

    --

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Marcus Dean Adams

    /"Civilization is the limitless multiplication/
    /of unnecessary necessities."/
    /-- Mark Twain/

    On Fri, 2020-05-01 at 21:31 +0200, Elmar Stellnberger wrote:
    [deleted -- Rebecca]

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)