Release tarballs seem to be available at http://sebastien.godard.pagesperso-orange.fr/download.html w/ much smaller xz archives.
No mention of version 12.7.1 on said page in spite of older versions being vulnerable to CVE-2022-39377. I think that makes it pretty clear which source we should use.
Hmmm. Half a megabyte of space saving or HTTPS... What do you think, gyakovlev?
The main use for these is that we're using the official sources from upstream which means there's one less thing for them to WTF about if we report bugs. (Other reasons include sometimes it means you get pre-generated man pages and such.)
it's a bummer to loose https, but considering "https vs uploaded tarball + size" I think it's ok to switch to xz or bz2, but hear me out till the end. looks like extra . in domain upsets the cert. The certificate is only valid for the following names: monsite-orange.fr, *.monsite-orange.fr, *.pagesperso-orange.fr, *.assoc.pagespro-orange.fr, *.ecole.pagespro-orange.fr, *.mairie.pagespro-orange.fr, *.pagespro-orange.fr, pagesperso-orange.fr, pagespro-orange.fr, assoc.pagespro-orange.fr, ecole.pagespro-orange.fr, mairie.pagespro-orange.fr looks like it's some kind of orange-france page hosting, you know one that comes with ISP, isp also sometimes provide email too. I really don't want to trust that =) broken cert, questionable hosting, delay with uploads. I understand "let's use release tarballs instead of github snapshots" argument, but tbh looks like it's an edge case where using github snap is preferred. agreed? thoughts?
I would very much agree that in this particular case the problems outweigh the benefits by quite a large margin. WONTFIX again, then.
