Conversation

Notices

1. Embed this notice
   Rich Felker (dalias@hachyderm.io)'s status on Thursday, 25-Apr-2024 20:44:00 JST Rich Felker

   in reply to

   • daniel:// stenberg://
   • Brian Campbell
   • Jonathan ‘theJPster’ Pallant

   @bagder @thejpster @unlambda Lots of "trust" people disregard is trusting well-meaning ppl not to slip up and expose you to bad actors. It's not just a matter of whether you trust them not to be evil themselves. I usually frame things this way when explaining to someone why I can't just trust their service because it avoids questioning their integrity.

   • Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Thursday, 25-Apr-2024 20:44:01 JST Rich Felker

     in reply to

     • daniel:// stenberg://
     • Brian Campbell
     • Jonathan ‘theJPster’ Pallant

     @bagder @thejpster @unlambda I would assume it's just about not wanting to trust that a non malicious admin doesn't accidentally reconfigure the server, put it behind some.misconfigured CDN or DDoS protection service, etc.

   • Embed this notice
     daniel:// stenberg:// (bagder@mastodon.social)'s status on Thursday, 25-Apr-2024 20:44:02 JST daniel:// stenberg://

     in reply to

     • Brian Campbell
     • Jonathan ‘theJPster’ Pallant

     @thejpster @unlambda exactly what I thought.

   • Embed this notice
     Jonathan ‘theJPster’ Pallant (thejpster@hachyderm.io)'s status on Thursday, 25-Apr-2024 20:44:03 JST Jonathan ‘theJPster’ Pallant

     in reply to

     • daniel:// stenberg://
     • Brian Campbell

     @unlambda @bagder a MITM with a valid certificate?

   • Embed this notice
     daniel:// stenberg:// (bagder@mastodon.social)'s status on Thursday, 25-Apr-2024 20:44:04 JST daniel:// stenberg://

     in reply to

     • Jonathan ‘theJPster’ Pallant

     @thejpster curl would not switch protocol unless there is a redirect and you tell curl to follow it. Which this command line does not. The TLS protocol version looks weird to me, as presumably if this is important, why does the server even offer anything lower?

   • Embed this notice
     Brian Campbell (unlambda@hachyderm.io)'s status on Thursday, 25-Apr-2024 20:44:04 JST Brian Campbell

     in reply to

     • daniel:// stenberg://
     • Jonathan ‘theJPster’ Pallant

     @bagder @thejpster Presumably the concern here would be a MITM attack with a protocol downgrade.

   • Embed this notice
     Jonathan ‘theJPster’ Pallant (thejpster@hachyderm.io)'s status on Thursday, 25-Apr-2024 20:44:05 JST Jonathan ‘theJPster’ Pallant

     • daniel:// stenberg://

     Hey @bagder, I was wondering about the default Rust install command:

     curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

     Is the restriction on --proto to =https strictly required? Will curl switch to http even given an https URL?

     Is the restriction to TLSv1.2 strictly required? Will curl downgrade to TLSv1.1 or SSLv3 if the server suggests it?

     The -s and -S are fine, but I'd probably live with the stderr output for the sake of command brevity. The -f seems reasonable though.