Tails

#1 Updated by sajolida 2016-08-07 11:50:58

• Assignee set to sajolida

#2 Updated by sajolida 2016-08-30 04:13:27

• Status changed from New to Rejected
• Assignee deleted (sajolida)

We already have HTTPS on most of our mirrors (26 our of 40) but we don’t run these mirrors ourselves. We are considering disabling HTTP-only mirror at some point (maybe once we get enough HTTPS mirror to sustain the load) but not right now. Also note that HTTPS doesn’t replace other verification techniques as it doesn’t protect against:

• Corrupted or malicious mirrors (run by ourselves or by others).
• Interrupted download (which might not cause security issues but definitely confuse people and overload our help desk).

So HTTPS only is not enough to verify the ISO image.

Regarding checksum. We removed checksum verification last year because we couldn’t find a way to document how to use these checksum easily on Windows, Mac, and Linux (we tried for many years before that and failed). Right now we provide three techniques for verification (Firefox extension, BitTorrent, and OpenPGP) which are equivalent and sometimes superior to checksum. People like you who are technical enough to already do checksum verification on their favourite OS are probably technical enough to rely on BitTorrent or OpenPGP verification if they don’t like the Firefox extension (which I can understand).

#3 Updated by sajolida 2016-08-30 13:17:36

• related to Feature #9796: HTTPS mirrors added

#5 Updated by sajolida 2017-06-06 16:50:03

• related to Bug #12645: FAQ: Explain why we don't give a SHA of the ISO image added