savannah-hackers
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[savannah-help-public] [sr #109567] Download area link for some packages

From: Ineiev
Subject: [savannah-help-public] [sr #109567] Download area link for some packages uses insecure http protocol
Date: Sun, 7 Oct 2018 05:38:00 -0400 (EDT)
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0 
Follow-up Comment #3, sr #109567 (project administration):

> To enforce security, it would make sense to fetch the .sig file from the
main site and only the non-signature files from the mirror.

This doesn't matter: if the signature made with a valid key verifies, the file
is authentic (within certain assumptions); else it may not be.

> It requires that users check the signatures.
...
> we all know that there are fake identities floating around...checking more
than the usual 8 digits of a key id.

Quite right, the users should make sure that they use the right public keys;
but there is no other real way to protect from MITM.

    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/support/?109567>

_______________________________________________
  Message sent via Savannah
  https://savannah.gnu.org/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]