Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It's bizarre that they consider https as an alternative to cryptographic signing, rather than an unrelated addition.


My reading was they did the exact opposite: considered https to be a failure of end-to-end security they wanted. It was various users that apparently wanted HTTPS. I could see how they got to that: I access the site with HTTP; an intercept might happen; HTTPS protects HTTP; let's protect it with HTTPS! Fortunately, the experts knew better and avoided that nonsense.


If end-to-end sec (e.g., crypto signatures) are used, like say with Debian packages which uses GPG, packages and metadata can be released over http without a problem.


Exactly. One of many reasons the developers went with an end-to-end solution instead of HTTPS. It makes the transport mechanism moot except for the initial key exchange.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: