ISO checksums and GPG signatures are being served through HTTP

Question

ISO checksums and GPG signatures are being served through HTTP

0rzech opened this issue 8 years ago · comments

There's no repo for your site, so I'm posting it here as it's related to ISO files.

Both ISO checksums and GPG signatures are being served through HTTP protocol currently, instead of HTTPS. This means zero server-verification when obtaining those. As these files are not large, it should be no problem to serve them directly from antergos.com, IMHO.

Piotr Orzechowski · Answer 1 · Mon Jun 27 2016 06:36:40 GMT+0800 (China Standard Time)

I don't want to be obtrusive, but this is actually a security issue.

Dustin Falgout · Answer 2 · Mon Jun 27 2016 12:19:33 GMT+0800 (China Standard Time)

I don't think this is a security issue. Yes, it could have security implications in certain situations but you have a better chance of getting struck by lightning than you do of finding yourself in a situation where this is an issue.

Most of the major distros have a similar setup for distributing their checksums and signatures for ISOs (not using SSL connections) including Ubuntu. That being said, I think the solution you proposed is a good one so we will implement it soon 😃

Piotr Orzechowski · Answer 3 · Mon Jun 27 2016 21:48:06 GMT+0800 (China Standard Time)

I guess many security issues have implications only in certain situations. ;) Actually, serving verification files directly from your server adds additional protection from hacked or malicious mirrors. Anyways, thank you for your stance on fixing this issue! 😃