[Pidgin] #14565: Link to .asc file and offer download over TLS
Pidgin
trac at pidgin.im
Wed Sep 26 11:57:50 EDT 2012
#14565: Link to .asc file and offer download over TLS
-------------------------------------------------+-------------------------
Reporter: ioerror | Owner: rekkanoryo
Type: task | Status: new
Milestone: | Component:
Version: | unclassified
Keywords: security https tls pgp signature | Resolution:
win32 |
-------------------------------------------------+-------------------------
Comment (by elb):
This thread has a lot of things in it on a lot of topics, and quote are
getting long; I'm going to take a stab at addressing some of the things I
find most important with minimal context. Please ask for clarification if
anything is unclear.
== HTTPS downloads should be used to provide protection against MITM ==
I see where this is coming from, but I'm not personally much motivated by
it. I have no problem with offering HTTPS downloads (and even think it's
a good idea, in the sense that I'd like to see the ''entire web'' use
HTTPS), but I don't buy that it makes users ''any safer whatsoever'', for
several reasons. The most important of which are that an HTTPS download
of a corrupted file is just as corrupt as an HTTP download of a corrupted
file, and that the CAs aren't exactly shining stars of reliability these
days. However, provided that we can solve the following problems:
1. It's all well and good to say "2.8TB per month plus other downloads
not included in that figure isn't much", but the reality is that, no, it's
a lot. It's a huge ton. The reason isn't because 2.8TB/mo is difficult
or expensive to support in terms of service infrastructure, but because
''we have no dedicated admins''. We're lucky to support the
infrastructure we have now, and it mostly gets by on administrator time
from people who don't have the time to give in the first place. We really
do have to solve the infrastructure problem in a cheap way to make this a
reality. SourceForge, for whatever faults it may have (including the
recent backdoored PHPMyAdmin download on one of their mirrors) makes
providing a global network of mirrors easy.
1. Trusting third-party volunteers to provide SSL downloads is a Big
Deal. We don't admit third-party builds into our downloads for the same
reason. I don't know you from Adam; why should I trust you to provide
good faith service to our users? Even if I trust you, what about other
people who may offer to serve downloads? I haven't looked at the TUF
mentioned above, but I am familiar with some of Justin's work, and in
particular his Seattle (which does automated updates, and is possibly
related), it may help on this front. In any event, I don't want to
''develop'' a solution to solve this problem -- we don't have time.
Browsing the secure mirrors and verifying files is a lot harder than it
sounds, because if the mirrors know who is browsing for verification they
can simply supply good content to suspected verifiers and corrupt content
to other users.
1. Once third-party volunteers are trusted, we have to have a way to
distribute packages quickly and reliably. Ideally, in a semi-synchronized
fashion. One of the things that's bit us even with SF in the past is that
some mirrors can take quite a while to catch up to the files offered on
the primary site. This leads to bug reports and IRC support requests.
They've made this a lot better in recent years (or so it seems), and we've
taken to uploading files some time before announcing their presence to
combat this. With a network of volunteer mirrors, I fear regression on
this front.
1. Integrating both HTTPS and the current SourceForge mirrored downloads
on the Pidgin site in a way that is not confusing to users, or else
satisfying the entire demand for downloads via a secure download method,
is a must. We already have users who can't figure out how to download
Pidgin, and we've spent ''a lot of time'' trying to make our Download
pages as clear as possible. This is not a made up problem. I see that
ioerror has volunteered to help us with that, and that's great.
All things considered, I'd strongly prefer offering HTTPS downloads off
servers we provide, or via a single trusted third-party service (such as
SourceForge, compromised download servers notwithstanding), '''provided
that''' the administrative burden can be reduced sufficiently. I don't
have a problem with proposing that IMF money be spent on this (for
example, to purchase the bandwidth) if I am convinced that the
administrative overhead is small enough.
== Signatures should be offered up front on the download page ==
I entirely agree with this. As I understand our download interface, if we
add a link to the Windows download instructions and the source download
instructions, possibly including a secondary link to instructions such as
datallah has suggested above (which I have not yet read), we can solve
this concern. The other download links either suggest various package
managers (which have their own verification methods) or ultimately wind up
at the source download page.
== There should be an easy way to download and verify binaries,
particularly on Windows ==
I agree with this, but it's not our problem. Or rather, we can't afford
to make it our problem. If a solution to this problem exists, we can
evaluate using it.
== Is there a way to fetch content (perhaps via rsync) directly from the
Pidgin project? ==
No. We can arrange that, but there's no current way. We're not likely to
arrange it for individual users, the burden is just too high. We would
need to arrange it on a broader scale, which is what this conversation is
all about.
== We need a way to trust the Pidgin developers' signatures ==
I am well signed into the web of trust, as are several of the other Pidgin
developers, and there is an incomplete core of Pidgin developers well
cross-signed. That core includes (but is probably not limited to) myself,
Gary, Richard, Mark, and John. I am always happy to exchange key
signatures with anyone who can present me with proof of ID and proof that
they own the email addresses in their associated UIDs. (We can discuss
proof of ID depending on circumstance; personal introductions ''plus''
government issued ID preferred, but that is of course not always
possible.) I no longer travel as much as I used to, but I do travel from
time to time, and I am willing to arrange meetups in remote locations when
feasible.
== Secure magnet URIs ==
As I understand it, a magnet URI is simply a collection of hashes of the
data to be downloaded. I see no reason we could not or should not provide
this. It will require some effort to automate the generation and
uploading of this data (we don't want uploaders to have to do a lot of
extra work), but as we already have ways to distribute version numbers
throughout our download pages I see no reason that we cannot add and
include hashes. Is there more effort required for this?
--
Ticket URL: <https://developer.pidgin.im/ticket/14565#comment:19>
Pidgin <http://pidgin.im>
Pidgin
More information about the Tracker
mailing list