httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <ylavic....@gmail.com>
Subject Re: [Bug 55808] File integrity verification using MD5 and SHA1
Date Thu, 14 Jan 2016 08:25:16 GMT
[cross posting @docs => @dev, full thread
http://www.gossamer-threads.com/lists/apache/docs/453401]

On Thu, Jan 14, 2016 at 1:50 AM, Tom Fredrik Blenning Klaussen
<bfg@blenning.no> wrote:
>
> On 14/01/16 01:19, Yann Ylavic wrote:
>>
>> as I said earlier, the way you access the
>> tarball is not that important provided you verify its signature, or
>> its digests from the official repository only.
>
> I understand what you are saying that the proper way is to download
> the checksums from the correct source, which is self-evident. Now
> assume you're a new user, and do not have this previous knowledge.
> This user is security conscious, so the user chooses https on purpose.
> He would go into (https://httpd.apache.org), where he would find a
> link taking him to (https://httpd.apache.org/download.cgi), at this
> point, he would find the link to (http://www.apache.org/dist/httpd/),
> what I'm saying is in order to have some trust in that link, it
> _SHOULD_ be https otherwise assuming you could introduce yourself as a
> MitM, manipulating the signatures would be trivial.

OK, I thought the links to the MD5/SH1/PGP were https: but this is not the case.
I agree that the origin of these files should be trustable.

@dev: should I s/http:/https:/ for those links (only) in
^httpd/site/trunk/content/download.mdtext?
Or possibly use paths instead (i.e. /dist/httpd/...) so that it
depends on /download.cgi is accessed?
Would that be enough for the prod to be updated (via staging)?

Regards,
Yann.

Mime
View raw message