-
-
Notifications
You must be signed in to change notification settings - Fork 11.4k
Secure Homebrew Installation Without SSL #43582
Comments
Hmm. I'd be happy to provide GPG signed version of the document, i.e. From feedback we've had elsewhere people who aren't that familiar with OS X or Git find the frontpage script really helpful, so that's unlikely to change in itself. We don't want to make accessing Homebrew more cumbersome for the vast majority of users, but I sympathise with the desire to verify authenticity. |
If we do anything here it'd be moving stuff to the README. I'm not really convinced by that approach, though, as it means people are suddenly presented with a bunch of GitHub UI. |
I don't think GPG sign can help anything if we point to our GPG key in an insecure page. |
We have the GPG key published on Keybase, every keyserver & we could add it to the core repo somewhere if necessary. I'm not too worried on that front. From Mike's reply I presume he isn't super in love with the idea of signing install/uninstall, so my point may be redundant 😸. I'm kind of bleh on making people click through from the front page to another link to find the correct script. Github's UI can be fairly intimidating to new users. |
We'll fix this correctly as soon as Github Pages supports TLS. I heard a rumor on the breeze that this is expected soonish. |
There have been a few threads on the insecurity of having the download snippet on non-SSL http://brew.sh. Two possibilities that I haven't seen suggested, and which circumvent the need for SSL:
The text was updated successfully, but these errors were encountered: