'Re: [PATCH 04/29] dlls/appwiz.cpl/: move WineHQ URLs to https'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       wine-devel
Subject:    Re: [PATCH 04/29] dlls/appwiz.cpl/: move WineHQ URLs to https
From:       Jacek Caban <jacek () codeweavers ! com>
Date:       2017-11-30 19:20:58
Message-ID: ea16baf3-ee50-9ccc-758d-202624fba799 () codeweavers ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Hi Austin,

On 30.11.2017 19:56, Austin English wrote:
> diff --git a/dlls/appwiz.cpl/addons.c b/dlls/appwiz.cpl/addons.c
> index 5ec49cfe6a..0bbc90f3eb 100644
> --- a/dlls/appwiz.cpl/addons.c
> +++ b/dlls/appwiz.cpl/addons.c
> @@ -86,7 +86,7 @@ static const addon_info_t addons_info[] = {
>          "wine_gecko-" GECKO_VERSION "-" ARCH_STRING ".msi",
>          "gecko",
>          GECKO_SHA,
> -        "http://source.winehq.org/winegecko.php",
> +        "https://source.winehq.org/winegecko.php",
>          "MSHTML", "GeckoUrl", "GeckoCabDir",
>          MAKEINTRESOURCEW(ID_DWL_GECKO_DIALOG)
>      },
> @@ -95,7 +95,7 @@ static const addon_info_t addons_info[] = {
>          "wine-mono-" MONO_VERSION ".msi",
>          "mono",
>          MONO_SHA,
> -        "http://source.winehq.org/winemono.php",
> +        "https://source.winehq.org/winemono.php",


While I'm not really opposed, I think this deserves more attention. Note
that this change means that we will download Gecko and Mono using https
instead of http. While it's usually fine, it's an extra complexity and
involves additional dependences to achieve the task. For example, it
means that if you don't have a working GnuTLS and WineGecko cached, Wine
won't be able to setup your prefix correctly.


Also note that we check checksums of downloaded files, so installing
those packages is safe as far as attacks by modifying content is
considered. All we gain from https in this case is a bit of privacy
improvement.


That said, I'm not sure we want that change unless we have a good reason.


Thanks,

Jacek


[Attachment #5 (text/html)]

<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <div class="moz-cite-prefix">Hi Austin,<br>
      <br>
      On 30.11.2017 19:56, Austin English wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:20171130185719.15232-4-austinenglish@gmail.com">
      <pre wrap="">diff --git a/dlls/appwiz.cpl/addons.c b/dlls/appwiz.cpl/addons.c
index 5ec49cfe6a..0bbc90f3eb 100644
--- a/dlls/appwiz.cpl/addons.c
+++ b/dlls/appwiz.cpl/addons.c
@@ -86,7 +86,7 @@ static const addon_info_t addons_info[] = {
         "wine_gecko-" GECKO_VERSION "-" ARCH_STRING ".msi",
         "gecko",
         GECKO_SHA,
-        <a class="moz-txt-link-rfc2396E" \
href="http://source.winehq.org/winegecko.php" \
moz-do-not-send="true">"http://source.winehq.org/winegecko.php"</a>, +        <a \
class="moz-txt-link-rfc2396E" href="https://source.winehq.org/winegecko.php" \
moz-do-not-send="true">"https://source.winehq.org/winegecko.php"</a>,  "MSHTML", \
"GeckoUrl", "GeckoCabDir",  MAKEINTRESOURCEW(ID_DWL_GECKO_DIALOG)
     },
@@ -95,7 +95,7 @@ static const addon_info_t addons_info[] = {
         "wine-mono-" MONO_VERSION ".msi",
         "mono",
         MONO_SHA,
-        <a class="moz-txt-link-rfc2396E" \
href="http://source.winehq.org/winemono.php" \
moz-do-not-send="true">"http://source.winehq.org/winemono.php"</a>, +        <a \
class="moz-txt-link-rfc2396E" href="https://source.winehq.org/winemono.php" \
moz-do-not-send="true">"https://source.winehq.org/winemono.php"</a>,</pre>  \
</blockquote>  <p><br>
    </p>
    <p>While I'm not really opposed, I think this deserves more
      attention. Note that this change means that we will download Gecko
      and Mono using https instead of http. While it's usually fine,
      it's an extra complexity and involves additional dependences to
      achieve the task. For example, it means that if you don't have a
      working GnuTLS and WineGecko cached, Wine won't be able to setup
      your prefix correctly.</p>
    <p><br>
    </p>
    <p>Also note that we check checksums of downloaded files, so
      installing those packages is safe as far as attacks by modifying
      content is considered. All we gain from https in this case is a
      bit of privacy improvement.</p>
    <p><br>
    </p>
    <p>That said, I'm not sure we want that change unless we have a good
      reason.</p>
    <p><br>
    </p>
    <p>Thanks,</p>
    <p>Jacek<br>
    </p>
  </body>
</html>


[Attachment #6 (text/plain)]




[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic