[vlc-devel] 0.8.6d Release schedule

Remi Denis-Courmont rdenis at simphalempin.com
Fri Nov 23 15:31:12 CET 2007


On Fri, 23 Nov 2007 14:04:21 +0100, Rafaël Carré <funman at videolan.org>
wrote:
> Are the checksums provided through TLS once the videolan.org server has
> been authenticated (still with TLS) ?

I must say, I don't understand how you would authenticate the server
with HTTP/TLS yet pass the data outside of TLS.

> What would be the extra weight of embedding cryptographic software in
> VLC, and then just serve checksums and their signature over an insecure
> channel, then the client do check the checksums' signature with the
> embedded public key ?

OpenPGP is not trivial to implement, or even integrate.

> My point is: TLS is used for transport, but I would prefer a solution
> like the GPG-signing of debian APT repositories.

Of course, OpenPGP would be a lot better than TLS here.
But it ain't going to happen within 0.9.0 let alone 0.8.6d timeframe.

-- 
Rémi Denis-Courmont
http://www.remlab.net




More information about the vlc-devel mailing list