[Gpg4win-devel] maintenance (short downtimes) on www/files gpg4win, https redirect
Thomas Arendsen Hein
thomas at intevation.de
Thu Jul 29 15:59:02 CEST 2021
* Werner Koch <wk at gnupg.org> [20210727 20:05]:
> On Tue, 27 Jul 2021 10:46, Thomas Arendsen Hein said:
> > Additionally I already configured files.gpg4win.* to always redirect
> > from http to https, same as www.gpg4win.* is doing since 2015.
>
> Bad idea for files. The integrity is secured by our signatures and
> there are systems where it is hard to use https but easy to use checsums
> or gpg. Think automated systems.
While I assume that automated systems should be able to use https by
now (and still do additional checks), I've reverted this change,
because:
> Almost all users anyway click on the links and as long as this is https
> this is all secure.
This is probably true and for the few situations where it isn't,
there are is still the code signing certificate.
(and the gpg signature, but I doubt many users would check that)
> Those who want http (or ftp) for files should be
> abale to continue their use.
We never offered ftp for gpg4win downloads and I disabled our last
ftp server about three years ago.
Regards,
Thomas
--
Thomas Arendsen Hein <thomas at intevation.de>
OpenPGP key: https://intevation.de/~thomas/thomas_pgp.asc (0xD45DE28FF3A2250C)
Intevation GmbH, Neuer Graben 17, 49074 Osnabrueck - AG Osnabrueck, HR B 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-devel/attachments/20210729/e8aa26cf/attachment.sig>
More information about the Gpg4win-devel
mailing list