On Thu, Jan 14, 2016 at 9:25 AM, Yann Ylavic <ylavic....@gmail.com> wrote: > [cross posting @docs => @dev, full thread > http://www.gossamer-threads.com/lists/apache/docs/453401] > > On Thu, Jan 14, 2016 at 1:50 AM, Tom Fredrik Blenning Klaussen > <b...@blenning.no> wrote: >> >> On 14/01/16 01:19, Yann Ylavic wrote: >>> >>> as I said earlier, the way you access the >>> tarball is not that important provided you verify its signature, or >>> its digests from the official repository only. >> >> I understand what you are saying that the proper way is to download >> the checksums from the correct source, which is self-evident. Now >> assume you're a new user, and do not have this previous knowledge. >> This user is security conscious, so the user chooses https on purpose. >> He would go into (https://httpd.apache.org), where he would find a >> link taking him to (https://httpd.apache.org/download.cgi), at this >> point, he would find the link to (http://www.apache.org/dist/httpd/), >> what I'm saying is in order to have some trust in that link, it >> _SHOULD_ be https otherwise assuming you could introduce yourself as a >> MitM, manipulating the signatures would be trivial. > > OK, I thought the links to the MD5/SH1/PGP were https: but this is not the > case. > I agree that the origin of these files should be trustable. > > @dev: should I s/http:/https:/ for those links (only) in > ^httpd/site/trunk/content/download.mdtext? > Or possibly use paths instead (i.e. /dist/httpd/...) so that it > depends on /download.cgi is accessed? > Would that be enough for the prod to be updated (via staging)?
Would attached patch be appropriate, so that MD5/SHA1/ASC/KEYS files are under https://*.apache.org's certification?
httpd-site-trunk-https.patch
Description: application/download
