battleschool
battleschool copied to clipboard
spencergibb
mac_pkg feature request: make `--insecure` opt-in
A) Insecure mode should be opt-in in general; I was surprised and disappointed to see that battleschool has a hard-coded default of --insecure when downloading packages.
B) Certain sites fail with curl --insecure but work without the --insecure flag. I don't know why this happens, but https://static.rust-lang.org is one such site.
@bdarnell sorry for the very long delay. Wondering howto notify folks of this. Maybe make a version that logs warnings that --insecure is deprecated and to update their playbooks as it will change in X months? Let that stew for a X months and then make the change. WDYT?
My feeling is that this is an important enough security issue that it should be pushed out quickly even if it breaks some things, instead of a months-long deprecation process. The change should just work in most cases, since I would personally expect it to be rare for people to download packages from an HTTPS url that doesn't have a valid certificate (if they don't have a proper cert they will just use plain HTTPS). Was there a common problem that motivated the use of --insecure by default?
I'm ok with a few weeks even. I'm just against breaking people without any prior warning. I'm sure --insecure got me around a java and a few other things, I don't actually remember specifically. I'll add a warning today, but I'll give it at least a few weeks. Based on the two year age of the project, a few weeks seems ok with me. Thanks for responding and sorry for the recent absence.
Yeah, it's been the case for so long that a few more weeks won't hurt. (Do most battleschool users update frequently enough that they'd notice a deprecation period of a few weeks? I certainly don't)
battle prints this as the first line of output in yellow:
## WARNING: default use of curl's --insecure option is deprecated & will be removed in ver. 0.9.0 (Dec 2015) #####