0rzech
commented
8 years ago I don't want to be obtrusive, but this is actually a security issue.
Open 0rzech opened 8 years ago
0rzech
commented
8 years ago I don't want to be obtrusive, but this is actually a security issue.
lots0logs
commented
8 years ago I don't think this is a security issue. Yes, it could have security implications in certain situations but you have a better chance of getting struck by lightning than you do of finding yourself in a situation where this is an issue.
Most of the major distros have a similar setup for distributing their checksums and signatures for ISOs (not using SSL connections) including Ubuntu. That being said, I think the solution you proposed is a good one so we will implement it soon :smiley:
0rzech
commented
8 years ago I guess many security issues have implications only in certain situations. ;) Actually, serving verification files directly from your server adds additional protection from hacked or malicious mirrors. Anyways, thank you for your stance on fixing this issue! 😃
There's no repo for your site, so I'm posting it here as it's related to ISO files.
Both ISO checksums and GPG signatures are being served through HTTP protocol currently, instead of HTTPS. This means zero server-verification when obtaining those. As these files are not large, it should be no problem to serve them directly from antergos.com, IMHO.