On Tue, May 25, 2021 at 04:23:41PM +0200, Manolo Díaz wrote: > Package: popularity-contest > Version: 1.71 > Severity: wishlist > X-Debbugs-Cc: [email protected] > > Dear Maintainer, > > It seems that the site popcon.debian.org is HTTPS capable. Please > consider changing the SUBMITURLS variable inside the file default.conf > for use it by default. > Also, when https is used, does gpg add any privacy enhancement?
Hello Manolo The server does not support https submission, https submissions are redirected to plain http. This is a feature: older systems reporting to popcon have a too old TLS library that is not compatible with modern https server. Also in the context of popcon, https has a major flaw in that it uses a certificate to identify the server, and identifying valid certificates is difficult. On the other hand GPG encryption with a static public key is much simpler and safer. It is easy for the server use a keyring with all the private decryption keys that correspond to the public encryption keys, even if it was last used 10 years ago. On the other hand it is not realistic for a https server to offer a 10-year old certificate becuase this is what older systems are expecting. Cheers, -- Bill. <[email protected]> Imagine a large red swirl here.

