Feature #11623

Provide SHA-Checksum and HTTPS Download

Added by Anonymous 2016-08-06 08:27:39 . Updated 2016-08-30 13:18:04 .

Status:
Rejected
Priority:
Normal
Assignee:
Category:
Target version:
Start date:
2016-08-06
Due date:
% Done:

0%

Feature Branch:
Type of work:
Discuss
Blueprint:

Starter:
Affected tool:
Deliverable for:

Description

Subject says it all.


Subtasks


Related issues

Related to Tails - Feature #9796: HTTPS mirrors Resolved 2017-06-21
Related to Tails - Bug #12645: FAQ: Explain why we don't give a SHA of the ISO image Resolved 2017-06-06

History

#1 Updated by sajolida 2016-08-07 11:50:58

  • Assignee set to sajolida

#2 Updated by sajolida 2016-08-30 04:13:27

  • Status changed from New to Rejected
  • Assignee deleted (sajolida)

We already have HTTPS on most of our mirrors (26 our of 40) but we don’t run these mirrors ourselves. We are considering disabling HTTP-only mirror at some point (maybe once we get enough HTTPS mirror to sustain the load) but not right now. Also note that HTTPS doesn’t replace other verification techniques as it doesn’t protect against:

  • Corrupted or malicious mirrors (run by ourselves or by others).
  • Interrupted download (which might not cause security issues but definitely confuse people and overload our help desk).

So HTTPS only is not enough to verify the ISO image.

Regarding checksum. We removed checksum verification last year because we couldn’t find a way to document how to use these checksum easily on Windows, Mac, and Linux (we tried for many years before that and failed). Right now we provide three techniques for verification (Firefox extension, BitTorrent, and OpenPGP) which are equivalent and sometimes superior to checksum. People like you who are technical enough to already do checksum verification on their favourite OS are probably technical enough to rely on BitTorrent or OpenPGP verification if they don’t like the Firefox extension (which I can understand).

#3 Updated by sajolida 2016-08-30 13:17:36

#4 Updated by sajolida 2016-08-30 13:18:04

HTTPS mirrors are 9796 and we want to work on this in 2017.

#5 Updated by sajolida 2017-06-06 16:50:03

  • related to Bug #12645: FAQ: Explain why we don't give a SHA of the ISO image added