httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <>
Subject Re: [Bug 55808] File integrity verification using MD5 and SHA1
Date Thu, 14 Jan 2016 08:25:16 GMT
[cross posting @docs => @dev, full thread]

On Thu, Jan 14, 2016 at 1:50 AM, Tom Fredrik Blenning Klaussen
<> wrote:
> On 14/01/16 01:19, Yann Ylavic wrote:
>> as I said earlier, the way you access the
>> tarball is not that important provided you verify its signature, or
>> its digests from the official repository only.
> I understand what you are saying that the proper way is to download
> the checksums from the correct source, which is self-evident. Now
> assume you're a new user, and do not have this previous knowledge.
> This user is security conscious, so the user chooses https on purpose.
> He would go into (, where he would find a
> link taking him to (, at this
> point, he would find the link to (,
> what I'm saying is in order to have some trust in that link, it
> _SHOULD_ be https otherwise assuming you could introduce yourself as a
> MitM, manipulating the signatures would be trivial.

OK, I thought the links to the MD5/SH1/PGP were https: but this is not the case.
I agree that the origin of these files should be trustable.

@dev: should I s/http:/https:/ for those links (only) in
Or possibly use paths instead (i.e. /dist/httpd/...) so that it
depends on /download.cgi is accessed?
Would that be enough for the prod to be updated (via staging)?


View raw message