[vlc-devel] 0.8.6d Release schedule
Remi Denis-Courmont
rdenis at simphalempin.com
Fri Nov 23 13:49:54 CET 2007
On Fri, 23 Nov 2007 12:51:01 +0100, Rafaël Carré <funman at videolan.org>
wrote:
> Do the files really have to be served through HTTPS ?
No. What would need to be done is:
1/ authenticate the update informations, supposedly using public key
cryptography, whereby the "VideoLAN release manager" gets the private
key,
and the public key is included in the player.
2/ provide file sums (e.g. SHA256) for the files to be downloaded, and
check them after download, but before the update starts.
Note that none of these require SSL. The infos could be signed just once
every time they are updated, and served over any insecure channel.
Unfortunately, we haven't anything that looks remotely like it would be
capable of doing this in the current code (would be tricky for 0.9.0, and
pretty impossible for 0.8.6d).
> I would think:
> 1/ Authenticate videolan.org with HTTPS
> 2/ Look for potential updates with HTTP
> 3/ Download them with HTTP
I don't understand.
--
Rémi Denis-Courmont
http://www.remlab.net
More information about the vlc-devel
mailing list