[sr #109567] Download area link for some packages uses insecure http protocol

2022-03-29 Thread Ineiev
Update of sr #109567 (project administration): Status:None => Postponed Open/Closed:Open => Closed ___ Follow-up Comment #6: These days n

[savannah-help-public] [sr #109567] Download area link for some packages uses insecure http protocol

2018-10-07 Thread Ineiev
Follow-up Comment #5, sr #109567 (project administration): > The other way is to download the .sig file from a trusted place (the master server, not a mirror) But why the master server is a trusted place? should its CA be trusted? ___ Repl

[savannah-help-public] [sr #109567] Download area link for some packages uses insecure http protocol

2018-10-07 Thread Bruno Haible
Follow-up Comment #4, sr #109567 (project administration): > the users should make sure that they use the right public keys; but there is no other real way to protect from MITM. I disagree. Checking the keys is *one way* to protect from MITM. The other way is to download the .sig file from a tru

[savannah-help-public] [sr #109567] Download area link for some packages uses insecure http protocol

2018-10-07 Thread Ineiev
Follow-up Comment #3, sr #109567 (project administration): > To enforce security, it would make sense to fetch the .sig file from the main site and only the non-signature files from the mirror. This doesn't matter: if the signature made with a valid key verifies, the file is authentic (within cer

[savannah-help-public] [sr #109567] Download area link for some packages uses insecure http protocol

2018-10-06 Thread Bruno Haible
Follow-up Comment #2, sr #109567 (project administration): > everyone is free to setup a mirror, and we add them to our list on their request. Ouch, this is bad. Someone who wants to become MITM for some packages just has to setup a mirror, notify GNU, and add trojan horses to the sources and bin

[savannah-help-public] [sr #109567] Download area link for some packages uses insecure http protocol

2018-10-06 Thread Ineiev
Follow-up Comment #1, sr #109567 (project administration): HTTPS is not really much more secure against MITM attacks: everyone is free to setup a mirror, and we add them to our list on their request. I think the only real protection is signatures.

[savannah-help-public] [sr #109567] Download area link for some packages uses insecure http protocol

2018-10-06 Thread Bruno Haible
URL: Summary: Download area link for some packages uses insecure http protocol Project: Savannah Administration Submitted by: haible Submitted on: Sat 06 Oct 2018 07:58:05 PM CEST