Op Fri, 20 Dec 2013 03:02:26 +0000 schreef Sam Kuper <sam.ku...@uclmail.net>:
> OK, so the next best thing is to download the gNewSense GPG keyring > file gnewsense-keyring.gpg from somewhere that does have a "secure" > connection > ( https://savannah.nongnu.org/project/memberlist-gpgkeys.php?group=gnewsense ) > and try to verify downloads with that. First steps: That's the keyring with the keys of the project members, not the repository key. You can find the repository key in the gnewsense-archive-keyring package [1] (file keyrings/gnewsense-archive-keyring.gpg). You can check that it's the right key by verifying the fingerprint, which listed on our website [2], but I'll give it here to avoid any doubt: 4F8A 7A4A 66A7 83D1 5560 7F1E E4D0 9D08 BF11 9352 > If not, is there an ETA for the implementation of SSL/TLS on the > gNewSense website; or a possibility the gNewSense project might start > serving its files through Savannah instead of (or in addition to) > directly from the gNewSense website, in order to benefit from > Savannah's HTTPS? Savannah is not designed to serve a distribution's package repository. gNewSense has no money, so we can't get a certificate from the big CAs. We might get one from CAcert, but that's not trusted by most browsers, as far as I know. That might make it as trustworthy to you as a self-signed certificate. So adding SSL support would be either 'better than nothing' or 'a false sense of security', depending on your view. I'm more of the former view, but implementing this is low on my priority list, because I don't want to muck around with the web server's configuration and I'd have to polish up my knowledge of certificate administration. [1] http://archive.gnewsense.org/gnewsense-three/gnewsense/pool/main/g/gnewsense-archive-keyring/gnewsense-archive-keyring_2012.05.06.tar.gz [2] http://www.gnewsense.org/Main/ReposRefs _______________________________________________ gNewSense-users mailing list gNewSense-users@nongnu.org https://lists.nongnu.org/mailman/listinfo/gnewsense-users