View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
ID | Project | Category | View Status | Date Submitted | Last Update | ||||
---|---|---|---|---|---|---|---|---|---|
0001724 | OpenClonk | Website - Automated Builds | public | 2016-04-24 13:31 | 2019-01-27 21:36 | ||||
Reporter | sphalerite | ||||||||
Assigned To | Luchs | ||||||||
Priority | normal | Severity | minor | Reproducibility | always | ||||
Status | resolved | Resolution | fixed | ||||||
Product Version | |||||||||
Target Version | 9.0 | Fixed in Version | 8.1 | ||||||
Summary | 0001724: No secure download options | ||||||||
Description | Neither HTTPS downloads nor tarball signatures are available for download. This means that downloads can be MITMed to introduce malware and we have no way of verifying that the download has not been tampered with. | ||||||||
Tags | No tags attached. | ||||||||
Attached Files |
|
![]() |
|
Isilkor (developer) 2016-04-24 13:34 |
Reminder sent to: Clonk-Karl, Newton CC'ing ck and Newton on this because the bare engine binaries themselves are available via HTTPS, just the snapshots aren't. |
Newton (administrator) 2016-04-24 13:42 |
Yes, our webhoster does not offer HTTPS (for a reasonable price). This won't change in the medium term. The only option if we wanted HTTPS for the downloads would be to move the download archive and snapshots to Isilkor's server. I do not oppose this but of course this means to again rewrite all the release and snapshot build scripts. If any of you two want to do this, you can notify CK or me so that we change the links on the website. If not, this bug will be closed. |
sphalerite (reporter) 2016-04-24 13:44 |
I'd be all for signed tarballs as well, it makes redistribution easier, doesn't require HTTPS support from anyone, and doesn't rely on the PKI. |
sphalerite (reporter) 2016-06-10 17:23 |
Any chance of this happening? |
Isilkor (developer) 2016-06-15 10:34 |
I'm all for moving the snapshots to autobuild.openclonk.org, which is already available via TLS only. |
Luchs (administrator) 2019-01-27 21:36 |
Website uses HTTPS now. Signed tarballs are imo not worth the effort (who verifies these anyways?). |
![]() |
|||
Date Modified | Username | Field | Change |
---|---|---|---|
2016-04-24 13:31 | sphalerite | New Issue | |
2016-04-24 13:31 | sphalerite | Status | new => assigned |
2016-04-24 13:31 | sphalerite | Assigned To | => Isilkor |
2016-04-24 13:34 | Isilkor | Note Added: 0005073 | |
2016-04-24 13:34 | Isilkor | Assigned To | Isilkor => |
2016-04-24 13:34 | Isilkor | Status | assigned => acknowledged |
2016-04-24 13:42 | Newton | Note Added: 0005075 | |
2016-04-24 13:44 | sphalerite | Note Added: 0005076 | |
2016-06-10 17:23 | sphalerite | Note Added: 0005125 | |
2016-06-15 10:34 | Isilkor | Note Added: 0005128 | |
2017-08-05 13:58 | Maikel | Target Version | => 8.0 |
2017-08-20 11:40 | Zapper | Target Version | 8.0 => 9.0 |
2019-01-27 21:36 | Luchs | Assigned To | => Luchs |
2019-01-27 21:36 | Luchs | Status | acknowledged => resolved |
2019-01-27 21:36 | Luchs | Resolution | open => fixed |
2019-01-27 21:36 | Luchs | Fixed in Version | => 8.1 |
2019-01-27 21:36 | Luchs | Note Added: 0006201 |