Feels like this is the core key to be changed. Something like Debian’s packaging system for example, which doesn’t even need the Debian domain to be HTTPS.
Dunno the exacts, but why not the good ol’ GPG? You only need to be able to exchange keys out-of-band once, and it saves you from lots of other issues. Trust between Alice and Brian is a between-them thing, and should not depend on a thrid party like Caroline arbitrarily deciding to change Brian’s legal name to Brandon.
Debian packages are signed individually, and usually people also don’t see downloading Debian packages as potentially privacy-sensitive, so plain download is acceptable.
For lemmy where user accounts are involved, and in general as a new protocol designed in the age of HTTPS, it makes sense to require HTTPS.
Feels like this is the core key to be changed. Something like Debian’s packaging system for example, which doesn’t even need the Debian domain to be HTTPS.
How does this works then?
Dunno the exacts, but why not the good ol’ GPG? You only need to be able to exchange keys out-of-band once, and it saves you from lots of other issues. Trust between Alice and Brian is a between-them thing, and should not depend on a thrid party like Caroline arbitrarily deciding to change Brian’s legal name to Brandon.
Debian packages are signed individually, and usually people also don’t see downloading Debian packages as potentially privacy-sensitive, so plain download is acceptable.
For lemmy where user accounts are involved, and in general as a new protocol designed in the age of HTTPS, it makes sense to require HTTPS.
They don’t need it per se but there’s a reason apt-transport-https is a very popular package.