Daniel Kahn Gillmor wrote:
> AIUI, future versions of wget will want to use something like libhsts
> to improve communications security for the user.
Note that (AFAIK):
1. wget2 1.99 (in Debian 11) uses internal code to generate a persistent
~/.wget-hsts.
This does not require libhsts or any preload file (#893159).
It means if you do
wget2 http://google.com
wget2 http://google.com
The second call will remember HSTS learnt from the first one.
This is better than nothing.
2. libhsts IS the code from wget2.
It was spun out into a separate library so wget1 could also use it.
3. wget2 2.00 (releasing this week) needs libhsts;
the functionality is no longer bundled as it was in 1.99.
Without libhsts, wget2 2.00 can be built and packaged, but
~/.wget-hsts will be ignored (i.e. A REGRESSION!)
On that basis, I don't think #893159 should block #893162, since
~/.wget-hsts is useful even without a chromium preload file.
