On Nov 30, 2017 1:21 PM, "Jacek Caban" <jacek@codeweavers.com> wrote:
Hi Austin,


On 30.11.2017 19:56, Austin English wrote:
diff --git a/dlls/appwiz.cpl/addons.c b/dlls/appwiz.cpl/addons.c
index 5ec49cfe6a..0bbc90f3eb 100644
--- a/dlls/appwiz.cpl/addons.c
+++ b/dlls/appwiz.cpl/addons.c
@@ -86,7 +86,7 @@ static const addon_info_t addons_info[] = {
         "wine_gecko-" GECKO_VERSION "-" ARCH_STRING ".msi",
         "gecko",
         GECKO_SHA,
-        "http://source.winehq.org/winegecko.php",
+        "https://source.winehq.org/winegecko.php",
         "MSHTML", "GeckoUrl", "GeckoCabDir",
         MAKEINTRESOURCEW(ID_DWL_GECKO_DIALOG)
     },
@@ -95,7 +95,7 @@ static const addon_info_t addons_info[] = {
         "wine-mono-" MONO_VERSION ".msi",
         "mono",
         MONO_SHA,
-        "http://source.winehq.org/winemono.php",
+        "https://source.winehq.org/winemono.php",


While I'm not really opposed, I think this deserves more attention. Note that this change means that we will download Gecko and Mono using https instead of http. While it's usually fine, it's an extra complexity and involves additional dependences to achieve the task. For example, it means that if you don't have a working GnuTLS and WineGecko cached, Wine won't be able to setup your prefix correctly.


I have gnutls set up, so hadn't considered that. I would think that we consider a lack of gnutls an unsupported platform, but I don't think this is important enough to break that usecase.

Also note that we check checksums of downloaded files, so installing those packages is safe as far as attacks by modifying content is considered. All we gain from https in this case is a bit of privacy improvement.


That said, I'm not sure we want that change unless we have a good reason.


Sure. Can we agree to change the message to an https version of the wiki?