From: Eric Wong <normalperson@...>
Date: 2017-10-05T05:50:49+00:00
Subject: [ruby-core:83118] Re: [Ruby trunk Bug#13962] Change http://unicode.org to https

duerst@it.aoyama.ac.jp wrote:
> Just an intermediate report: HTTPS is available only since
> about a week, and the Unicode Consortium wants to check things
> a bit more before the availability is officially confirmed and
> announced. I'll wait until that time.

Regardless of HTTPS or not; can we keep known-good
SHA-256/384/512/whatever signature(s) of the to-be-downloaded
files in our repository and validate the downloaded result?

IIRC, MiTM HTTPS proxies exist, and the CA system is still
vulnerable.

Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>