Description
[I originally wrote this as an addendum to #68 , and throughout this message I have referred to 'you' meaning the maintainer of HTTP::Tiny. I now notice that "@ghost" is not an actual account, but a placeholder for a deleted account, so I'm missing context about whether that person speaks for the current maintainers. Since that previous issue is closed, it seems appropriate to send this as a new issue]
In Debian, we considered a request from a user to change this default - you can see the discussion at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954089 which follows broadly the same lines as in #68 , with the additional context that we're 5 years on and acquiring SSL certificates from broadly accepted CAs is easier/free.
In summary, we believe the right thing to do for our users is to verify SSL certificates by default when they supply https URLs, and that it is better to make this policy decision in HTTP::Tiny rather than in (at least) 30 separate packages.
I acknowledge that you feel that this is unreasonably placing trust in a flawed CA system, which I can certainly sympathize with; however this is question about reasonable expectations that processing https URLs will apply certificate verification. It strictly improves the default security model of the system, even if it does not address all its weaknesses. Collectively, this is the direction that software in Debian has been headed, but at the browser level and the library level.
You can see the patch we plan to apply at https://salsa.debian.org/perl-team/interpreter/perl/-/commit/1490431e40e22052f75a0b3449f1f53cbd27ba92
Thanks for your work in maintaining HTTP::Tiny, and happy to hear if you have any further thoughts about this topic.