[opam-devel] ssl and https compression

Roberto Di Cosmo roberto at dicosmo.org
Tue Apr 8 10:21:41 BST 2014

What about providing by default also an url.txt.gz, like is done for
index.tar.gz, and have the new versions of opam look for this?

That would make us independent of any extra communication layer complications

On Tue, Apr 08, 2014 at 09:35:49AM +0100, Anil Madhavapeddy wrote:
> I've upgraded the opam.ocaml.org VM for the latest SSL security drama, but we should probably revisit not depending on HTTP compression and SSL together, as there are several known attacks against this combination: http://en.wikipedia.org/wiki/CRIME
> This isn't an immediate problem for urls.txt, but perhaps having a non-HTTPS way of retrieving URLs.txt is a good idea for OPAM 1.2 to account for future issues (e.g. via git?)
> -a
> _______________________________________________
> opam-devel mailing list
> opam-devel at lists.ocaml.org
> http://lists.ocaml.org/listinfo/opam-devel

Roberto Di Cosmo
Professeur               En delegation a l'INRIA
PPS                      E-mail: roberto at dicosmo.org
Universite Paris Diderot WWW  : http://www.dicosmo.org
Case 7014                Tel  : ++33-(0)1-57 27 92 20
5, Rue Thomas Mann       
F-75205 Paris Cedex 13   Identica: http://identi.ca/rdicosmo
FRANCE.                  Twitter: http://twitter.com/rdicosmo
MIME accepted, Word deprecated
Office location:
Bureau 3020 (3rd floor)
Batiment Sophie Germain
Avenue de France
Metro Bibliotheque Francois Mitterrand, ligne 14/RER C
GPG fingerprint 2931 20CE 3A5A 5390 98EC 8BFC FCCA C3BE 39CB 12D3                        

More information about the opam-devel mailing list