[Pidgin] #14565: Link to .asc file and offer download over TLS
Pidgin
trac at pidgin.im
Wed Sep 19 15:31:29 EDT 2012
#14565: Link to .asc file and offer download over TLS
-------------------------------------------------+-------------------------
Reporter: ioerror | Owner: rekkanoryo
Type: task | Status: new
Milestone: | Component:
Version: | unclassified
Keywords: security https tls pgp signature | Resolution:
win32 |
-------------------------------------------------+-------------------------
Comment (by ioerror):
Replying to [comment:4 datallah]:
> SSL downloads are probably not going to happen any time soon. The
bandwidth requirements would be quite high, we'd lose the Sourceforge
global mirroring, and with the GPG signatures, SSL doesn't really offer
any security benefits.
>
I'm not really clear on what those bandwidth requirements are - so I'm
curious to know if that is actually such a big deal?
I would for example be more than happy to run a secure mirror if there was
an easy way to keep my mirror up to date. We could offer it as an option
to people. Also, we might consider trying to use github - they offer HTTPS
for their entire site, in theory, even for downloads. I did find an issue
with it though, so that may or may not be a real option.
> What we really should do is to update the download pages to link to the
GPG signature files and add instructions on how to check the signatures of
the downloads.
I agree. Tor's signature checking page is here:
https://www.torproject.org/docs/verifying-signatures.html
I almost think we need a common tool for users, available over HTTPS that
helps them to verify signatures of all the projects who ship GnuPG
signatures. In theory this is gpg and in practice, a user who can use gpg
is not the norm. Thoughts?
--
Ticket URL: <https://developer.pidgin.im/ticket/14565#comment:5>
Pidgin <http://pidgin.im>
Pidgin
More information about the Tracker
mailing list