[Pidgin] #14565: Link to .asc file and offer download over TLS

Pidgin trac at pidgin.im
Wed Sep 19 21:39:58 EDT 2012


#14565: Link to .asc file and offer download over TLS
-------------------------------------------------+-------------------------
 Reporter:  ioerror                              |       Owner:  rekkanoryo
     Type:  task                                 |      Status:  new
Milestone:                                       |   Component:
  Version:                                       |  unclassified
 Keywords:  security https tls pgp signature     |  Resolution:
  win32                                          |
-------------------------------------------------+-------------------------

Comment (by datallah):

 Replying to [comment:5 ioerror]:
 > Replying to [comment:4 datallah]:
 > > SSL downloads are probably not going to happen any time soon.  The
 bandwidth requirements would be quite high, we'd lose the Sourceforge
 global mirroring, and with the GPG signatures, SSL doesn't really offer
 any security benefits.
 > >
 >
 > I'm not really clear on what those bandwidth requirements are - so I'm
 curious to know  if that is actually such a big deal?

 Since the 2.10.6 was released on 2012-07-06, there have been ~615K
 downloads.
 The vast majority (530K) of these are the Windows installer, which is
 about 10MB.
 On the top day for downloads, ~20K downloads, which means there was ~200GB
 downloaded on that day.
 The first month after it was released saw ~280K downloads, ~ 2.8TB.

 This doesn't include downloads of the GTK+ Bundle.

 > I would for example be more than happy to run a secure mirror if there
 was an easy way to keep my mirror up to date. We could offer it as an
 option to people. Also, we might consider trying to use github - they
 offer HTTPS for their entire site, in theory, even for downloads. I did
 find an issue with it though, so that may or may not be a real option.

 I guess I'm wondering what real benefit SSL downloads will offer.  I
 understand the need for the ability to validate that the download hasn't
 been tampered with, but SSL can't really do that in the same way that a
 signature does.

 Sourceforge, for all it's warts, has done a good job of providing
 redundant hosting with lots of mirrors located on several continents.  I
 feel like unless there is a compelling reason to reinvent the wheel, we
 shouldn't be doing that.

 > > What we really should do is to update the download pages to link to
 the GPG signature files and add instructions on how to check the
 signatures of the downloads.
 >
 > I agree. Tor's signature checking page is here:
 > https://www.torproject.org/docs/verifying-signatures.html

 I'll be working on this soon; more to come.

 > I almost think we need a common tool for users, available over HTTPS
 that helps them to verify signatures of all the projects who ship GnuPG
 signatures. In theory this is gpg and in practice, a user who can use gpg
 is not the norm. Thoughts?

 I guess it doesn't seem wise or appropriate to try to create and maintain
 our own tool for doing this; we have our hands full enough without taking
 on an additional challenge of something that's difficult to get right.
 It also seems to me that people who don't (care enough to take the time
 to) understand what it takes to validate the download aren't going to be
 any more secure if there's a tool that that rubber-stamps a download as
 "secure".

-- 
Ticket URL: <https://developer.pidgin.im/ticket/14565#comment:8>
Pidgin <http://pidgin.im>
Pidgin


More information about the Tracker mailing list