On 8/22/16 8:23 PM, Richard Stanway wrote: > See https://nginx.org/en/linux_packages.html#stable > > PGP key links are hard coded to http URLs: > > <p> > For Debian/Ubuntu, in order to authenticate the nginx repository > signature > and to eliminate warnings about missing PGP key during installation > of the > nginx package, it is necessary to add the key used to sign the nginx > packages and repository to the <code>apt</code> program keyring. > Please download <a href="http://nginx.org/keys/nginx_signing.key";>this > key</a> from our web site, and add it to the <code>apt</code> > program keyring with the following command: > </p> > Yes, I see. It should be fixed. Thanks.
> On Mon, Aug 22, 2016 at 7:19 PM, Maxim Konovalov <[email protected] > <mailto:[email protected]>> wrote: > > On 8/22/16 8:15 PM, Richard Stanway wrote: > > Could you at least fix the https download page, so it doesn't > > directly link to a HTTP PGP key? > > > It works correctly: https://nginx.org/en/download.html > <https://nginx.org/en/download.html> > > > On Mon, Aug 22, 2016 at 6:49 PM, Maxim Konovalov <[email protected] > <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>> wrote: > > > > On 8/22/16 7:41 PM, B.R. wrote: > > > The problem is, if the GPG key is served through HTTP, > there is no > > > way to authenticate it, since it could be compromised > through > > MITM. > > > I am very surprised to see myself being qualified as 'HTTPS > > despot' > > > when I just spot the obvious. > > > > > But it does not -- our PGP key distributed through a number of > > channels, including HTTPS. Problem solved, case closed? > > > > > Compromised repository + GPG key is one very powerful way of > > > impersonating another product. > > > > > > TLS provides both encryption and authentication, based > on the > > > initial shared circle of trust. > > > Thus you certify the GPG key is authentic and thus, if > it verifies > > > the binaries, you ensure the delivered package are > produced by the > > > owner of the key, in the end the real author. > > > > > > In 2016, stating that content served over HTTP is 'secure' > > blows my > > > mind and kills your credibility. > > > > > Who did that? What's his name? > > > > > Now, as Richard pointed out, if you truly believe you > need to > > > provide HTTP-only, you can. It would be better if it was > in a very > > > visible fashion, though. > > > Where was despotism, again? > > > > nginx.org <http://nginx.org> <http://nginx.org> already > has HTTPS therefore it is > > not HTTP-only. > > > > > --- > > > *B. R.* > > > > > > On Mon, Aug 22, 2016 at 5:40 PM, Richard Stanway > > > <[email protected] > <mailto:r1ch%[email protected]> > <mailto:r1ch%[email protected] > <mailto:r1ch%[email protected]>> > > <mailto:[email protected] > <mailto:r1ch%[email protected]> > > <mailto:r1ch%[email protected] > <mailto:r1ch%[email protected]>>>> wrote: > > > > > > 1. You could provide insecure.nginx.org > <http://insecure.nginx.org> > <http://insecure.nginx.org> > > > <http://insecure.nginx.org> mirror for such people, make > > > nginx.org <http://nginx.org> <http://nginx.org> > <http://nginx.org> secure by > > default. > > > > > > 2. Modern server CPUs are already extremely energy efficient, > > > TLS adds negligible load. See https://istlsfastyet.com/ > > > > > > > > > > > > On Mon, Aug 22, 2016 at 12:31 PM, Valentin V. Bartenev > > > <[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > <mailto:[email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>>> wrote: > > > > > > On Sunday 21 August 2016 15:56:09 B.R. wrote: > > > > It is surprising, since I remember Ilya Grigorik made a > talk about TLS > > > > during the first ever nginx conf in 2014: > > > > https://www.youtube.com/watch?v=iHxD-G0YjiU > <https://www.youtube.com/watch?v=iHxD-G0YjiU> > > <https://www.youtube.com/watch?v=iHxD-G0YjiU > <https://www.youtube.com/watch?v=iHxD-G0YjiU>> > > > <https://www.youtube.com/watch?v=iHxD-G0YjiU > <https://www.youtube.com/watch?v=iHxD-G0YjiU> > > <https://www.youtube.com/watch?v=iHxD-G0YjiU > <https://www.youtube.com/watch?v=iHxD-G0YjiU>>> > > > > https://istlsfastyet.com/ > > > > > > It's just Ilya's opinion. You are free to agree or not. > > > > > > > > > > > > > > Thus, there is no reason for not going full-HTTPS in > delivering Web pages. > > > > > > There are at least two reasons to not use HTTPS: > > > > > > 1. Provide easy access to information for people, who > can't > > > use encryption > > > by political, legal, or technical reasons. > > > > > > 2. Don't waste resources on encryption, and thus save our > > > planet. > > > > > > Please, don't be a TLS despot and let people to have a > > > choice to use encryption > > > or not. > > > > > > I think the situation when I can't download new version of > > > OpenSSL using old > > > version of OpenSSL is ridiculous, but they have configured > > > openssl.org <http://openssl.org> > <http://openssl.org> <http://openssl.org> > > that way. > > > How I supposed to use Internet then? > > > > > > wbr, Valentin V. Bartenev > > > > > > > > > -- > > Maxim Konovalov > > Join us at nginx.conf, Sept. 7-9, Austin, TX: > > http://nginx.com/nginxconf > > > > _______________________________________________ > > nginx mailing list > > [email protected] <mailto:[email protected]> <mailto:[email protected] > <mailto:[email protected]>> > > http://mailman.nginx.org/mailman/listinfo/nginx > <http://mailman.nginx.org/mailman/listinfo/nginx> > > <http://mailman.nginx.org/mailman/listinfo/nginx > <http://mailman.nginx.org/mailman/listinfo/nginx>> > > > > > > > > > > _______________________________________________ > > nginx mailing list > > [email protected] <mailto:[email protected]> > > http://mailman.nginx.org/mailman/listinfo/nginx > <http://mailman.nginx.org/mailman/listinfo/nginx> > > > > > -- > Maxim Konovalov > Join us at nginx.conf, Sept. 7-9, Austin, TX: > http://nginx.com/nginxconf > > _______________________________________________ > nginx mailing list > [email protected] <mailto:[email protected]> > http://mailman.nginx.org/mailman/listinfo/nginx > <http://mailman.nginx.org/mailman/listinfo/nginx> > > > > > _______________________________________________ > nginx mailing list > [email protected] > http://mailman.nginx.org/mailman/listinfo/nginx > -- Maxim Konovalov Join us at nginx.conf, Sept. 7-9, Austin, TX: http://nginx.com/nginxconf _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
