© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
35a32c5
(Get the code!)
Hi Stefan,
I just wanted to clarify a point I made previously:
>The requirement is that either or both payload verification or encrypted and validated communication must take place when pulling remove sources[1]. Their website doesn't have a valid SSL certificate, but it looks like they mirror their releases on Launchpad[2] which has a valid SSL cert (and MD5 hashes).
With regards to this, grabbing sources from non-encrypted sources is fine so long as you have a valid checksum you can verify against the file the charm grabs. The https only works if make sure the certificate is valid. In doing so you guarentee the transmission of the file is coming from the intended source. Using https communication with a valid and verified SSL certificate can be used in lieu of having to do checksum matches against the file.
I kind of ran those idea together above, wanted to make sure I conveyed exactly what is needed to satisfy the 4th bullet of https:/