Bug 1512

Summary: SSL for checksums
Product: Websites Reporter: Fabian Wannenmacher <f.wanne>
Component: www.mageia.orgAssignee: Atelier Team <atelier-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: enhancement    
Priority: Low CC: filip.komar, jeffrobinsSAE, rdalverny, tmb
Version: trunk   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://www.mageia.org/de/downloads/dl.php?product=mageia-1-cd-dualarch
Whiteboard:
Source RPM: CVE:
Status comment:

Description Fabian Wannenmacher 2011-06-01 22:34:57 CEST 
Description of problem:
If you provide the sites with checksums over SSL, it would be much easier to verify the downloaded file.
Fabian Wannenmacher 2011-06-01 22:36:25 CEST

Priority: Normal => Low
Severity: normal => enhancement

Comment 1 Thomas Backlund 2011-06-01 23:12:15 CEST 
You can verify that the files are correct with the gpg keys,

CC: (none) => tmb

Comment 2 Michael Scherer 2011-06-01 23:16:07 CEST 
there is https on www.mageia.org but it seems to not work. I will look at it, as this on zarb side.

CC: (none) => misc

Comment 3 Michael Scherer 2011-06-01 23:29:58 CEST 
Mhh since the website is on zarb, we cannot place our wildcart cert there. So this will have to wait until we move to our servers.
Comment 4 Marja Van Waes 2011-10-17 07:45:04 CEST 
(In reply to comment #3)
> Mhh since the website is on zarb, we cannot place our wildcart cert there. So
> this will have to wait until we move to our servers.

I understand moving is still in progress

CC: (none) => marja11

Comment 5 Romain d'Alverny 2012-05-24 23:28:34 CEST 
https://www.mageia.org/ is available, but not used as default. Checksums are indeed directly provided, but I don't see an easy case to make the visitor switch to https here.

CC: (none) => rdalverny

Comment 6 Jeff Robins 2012-05-24 23:53:28 CEST 
This is really easy with PHP.  I have example code somewhere, but I there should be plenty of code on the net.

I'm not sure if there is a simple way to do it with Apache unless you use a scripting language.

CC: (none) => jeffrobinsSAE

Comment 7 Romain d'Alverny 2012-05-25 09:40:56 CEST 
I know that. :-p What I mean is that the user flow is the following:

a) lands on home, goes to downloads page
b) lands on downloads page, click to get a specific ISO/file
c) langs on the download page redirector which shows various info about download, including the checksums, then redirects in JS to the very file to download.

We can't force/control whether the user is using https in a) and b). We could force the link to https for c) but is it worth the load? (why not, there's plenty of things to improve the website perf anyway).
Comment 8 Jeff Robins 2012-06-05 09:06:32 CEST 
I don't know that the increase in load will be that great, most websites that I have heard of switching to https exclusively (google, facebook, twitter, etc), reported only about a 1% to 2% increase in server load.

TBH, I would be much happier if the entire website was in https, but that's just on principle.
Marja Van Waes 2013-09-22 21:12:47 CEST

CC: marja11, misc => (none)

Comment 9 Filip Komar 2020-05-23 21:37:22 CEST 
Already fixed in the past.

Resolution: (none) => FIXED
Status: NEW => RESOLVED
CC: (none) => filip.komar