Issue #13962 has been updated by duerst (Martin Drst).


normalperson (Eric Wong) wrote:

>  Regardless of HTTPS or not; can we keep known-good
>  SHA-256/384/512/whatever signature(s) of the to-be-downloaded
>  files in our repository and validate the downloaded result?
>  
>  IIRC, MiTM HTTPS proxies exist, and the CA system is still
>  vulnerable.

Unicode is currently looking at adding checksums. We should definitely integrate these into our process when they are available.

Also, please note that while the Unicode files get downloaded when compiling from scratch, we actually process them and commit the result into our repository (e.g. enc/unicode/10.0.0/casefold.h and enc/unicode/10.0.0/name2ctype.h). So any fishy stuff would quickly be detected if it generated diffs for these files.

----------------------------------------
Bug #13962: Change http://unicode.org to https
https://bugs.ruby-lang.org/issues/13962#change-67061

* Author: MSP-Greg (Greg L)
* Status: Open
* Priority: Normal
* Assignee: duerst (Martin Drst)
* Target version: 
* ruby -v: ruby 2.5.0dev (2017-10-01 trunk 60085) [x64-mingw32]
* Backport: 2.3: UNKNOWN, 2.4: UNKNOWN
----------------------------------------
I believe downloads from unicode.org can be done via https.

See attached patch.

Thank you.

---Files--------------------------------
unicode.org.patch (435 Bytes)


-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>