[Live-devel] source availability over an encrypted connection
Stu Tomlinson
stu at nosnilmot.com
Tue Jan 13 03:18:46 PST 2026
On Mon, Jan 12, 2026 at 8:27 PM Ross Finlayson <finlayson at live555.com>
wrote:
> Note that if you are concerned about the integrity of our source file
> tarball, we also provide a SHA1 fingerprint ("live555-latest-sha1.txt”)
> which you can use to compare against running “sha1” on the “.tar.gz” file.
>
This provides zero integrity guarantees when the SHA1 file is also
distributed by the same unverifiable HTTP connection.
You could put an HTTPS website on port 8443 for distributors while
maintaining your firewall-avoiding sshd on port 443 with minimal technical
difficulty. Or you could use web.live555.com, where you already have a
normal HTTPS on port 443 with valid certificate. Or, as you appear to be
using AWS, you could use CloudFront.
Regards,
Stu.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.live555.com/pipermail/live-devel/attachments/20260113/4131d01a/attachment.htm>
More information about the live-devel
mailing list