[cross posting @docs => @dev, full thread http://www.gossamer-threads.com/lists/apache/docs/453401]
On Thu, Jan 14, 2016 at 1:50 AM, Tom Fredrik Blenning Klaussen <b...@blenning.no> wrote: > > On 14/01/16 01:19, Yann Ylavic wrote: >> >> as I said earlier, the way you access the >> tarball is not that important provided you verify its signature, or >> its digests from the official repository only. > > I understand what you are saying that the proper way is to download > the checksums from the correct source, which is self-evident. Now > assume you're a new user, and do not have this previous knowledge. > This user is security conscious, so the user chooses https on purpose. > He would go into (https://httpd.apache.org), where he would find a > link taking him to (https://httpd.apache.org/download.cgi), at this > point, he would find the link to (http://www.apache.org/dist/httpd/), > what I'm saying is in order to have some trust in that link, it > _SHOULD_ be https otherwise assuming you could introduce yourself as a > MitM, manipulating the signatures would be trivial. OK, I thought the links to the MD5/SH1/PGP were https: but this is not the case. I agree that the origin of these files should be trustable. @dev: should I s/http:/https:/ for those links (only) in ^httpd/site/trunk/content/download.mdtext? Or possibly use paths instead (i.e. /dist/httpd/...) so that it depends on /download.cgi is accessed? Would that be enough for the prod to be updated (via staging)? Regards, Yann.
