[vlc-devel] Future of the update mechanism
jpd at videolan.org
jpd at videolan.org
Thu Jul 30 02:05:02 CEST 2009
On Wed, Jul 29, 2009 at 06:37:20PM +0200, Felix Paul K?hne wrote:
> However, courmisch got a really good point. SSL is expensive, both
> money and CPU-wise. If we want to get a SSL certificate anyway, "my"
> approach might be a good idea. If not, well having a trusted SSL
> certificate for trac, etc. would be good as our SSL connections don't
> really make sense right now.
So what about, say, feeding a ssl implementation our self-signed (and
thus free) CA certificate that we ship with vlc to authenticate our
updates, but otherwise using a simple http fetcher to go-for an updated
installer? Could even use system supplied implementations of either
protocol.
I'm not aware that ssl is much more computationally expensive than
gpg and except for the added ``pay us to trust us'' scam it has about
the same problems. Given that, and that update checks should occur
only occasionally (say, once a week or something, given our release
schedule), and perhaps don't need ssl to check for updates, I don't see
much objection against ssl itself. But that clearly only as long a setup
doesn't somehow (artificially) require a paid-for certificate.
But most importantly, I'm neither interested in defending the current
state of affairs nor in hearing why one particular alternative is
great. I want to hear about multiple alternatives including less than
immediately obviously usable ones. IE. multiple choices.
More information about the vlc-devel
mailing list