Download should be over https, not insecure ftp at least for the signature and key files. The signature should also get verified.
Details
Details
Diff Detail
Diff Detail
- Repository
- rL LLVM
Event Timeline
Comment Actions
I mean, this looks good.
But why ask me to review only to commit without waiting? =[ If this were code, I'd be rather annoyed as you know better. As it's just documentation, I'm just a bit annoyed because I pulled up the page to write "LGTM" without any purpose.
llvm/trunk/docs/GettingStarted.rst | ||
---|---|---|
331 | There's not much point fetching the signing key over exactly the same transport as the data. If someone's compromised ftp.gnu.org, they can replace the key at the same time as they replace the signature. Either trust just HTTPS or fetch the signing key from somewhere else. |
There's not much point fetching the signing key over exactly the same transport as the data. If someone's compromised ftp.gnu.org, they can replace the key at the same time as they replace the signature. Either trust just HTTPS or fetch the signing key from somewhere else.