gnewsense-users
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [gNewSense-users] SSL/TLS/GPG: how to trust gNewSense downloads?

From: Sam Kuper
Subject: Re: [gNewSense-users] SSL/TLS/GPG: how to trust gNewSense downloads?
Date: Mon, 23 Dec 2013 02:01:24 +0000 
On 22/12/2013, Sam Geeraerts <address@hidden> wrote:
> Op Fri, 20 Dec 2013 03:02:26 +0000
> schreef Sam Kuper <address@hidden>:
> [...]
> You can find the repository key in the
> gnewsense-archive-keyring package [1] (file
> keyrings/gnewsense-archive-keyring.gpg). You can check that it's the
> right key by verifying the fingerprint, which listed on our website
> [2] [...]
> [1]
> http://archive.gnewsense.org/gnewsense-three/gnewsense/pool/main/g/gnewsense-archive-keyring/gnewsense-archive-keyring_2012.05.06.tar.gz
> [2] http://www.gnewsense.org/Main/ReposRefs

Thanks for the links, but as both are served over HTTP, I find them
not terribly useful from a trust perspective, I'm afraid.

> but I'll give it here to avoid any doubt:
>
> 4F8A 7A4A 66A7 83D1 5560  7F1E E4D0 9D08 BF11 9352

Thank you again for your helpfulness. Without meaning to sound
ungrateful, however, plain email isn't any more trustworthy than HTTP.

Would you (or someone else) be able to copy the repository key(s) to Savannah?

> Savannah is not designed to serve a distribution's package repository.

This statement comes as a surprise to me. I don't see anything in
http://savannah.nongnu.org/register/requirements.php or
http://savannah.nongnu.org/maintenance/HowToGetYourProjectApprovedQuickly/
that suggests Savannah wouldn't be suitable.

Still, you may be correct. If so, then other hosts offering HTTPS are available:

http://savannah.nongnu.org/maintenance/WhyChooseSavannah/

> gNewSense has no money, so we can't get a certificate from the big CAs.

I would be willing to donate the cost of any one of the following
1-year certificates:

InstantSSL: 
http://www.instantssl.com/ssl-certificate-products/ssl/ssl-certificate-instantssl.html

StartSSL Identity Verified or Organization Verified:
https://www.startssl.com/?app=40

> We might get one from CAcert, but that's not trusted by most browsers,
> as far as I know. That might make it as trustworthy to you as a
> self-signed certificate. So adding SSL support would be either 'better
> than nothing' or 'a false sense of security', depending on your view.
>
> I'm more of the former view,

I agree it would be better than nothing.

Another free of charge option that would also be better than nothing
is the StartSSL Free certifcate: https://www.startssl.com/?app=40

> but implementing this is low on my
> priority list, because I don't want to muck around with the web
> server's configuration and I'd have to polish up my knowledge of
> certificate administration.

I understand this, but I also feel there's little point in gNewSense
if it is only available via untrusted/unsecured channels. Users
shouldn't have to choose between placing faith in BLOBs or placing
faith in HTTP.

Thanks again for your time,

Sam
reply via email to
[Prev in Thread] Current Thread [Next in Thread]