Bug 90915

Summary: Enable HTTPS on download.freedesktop.org
Product: freedesktop.org Reporter: Philip Withnall <bugzilla>
Component: WebsiteAssignee: fd.o Admin Massive <sitewranglers>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: medium CC: rebecca_palmer
Version: unspecifiedKeywords: security
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Bug Depends on: 89682    
Bug Blocks:    

Description Philip Withnall 2015-06-09 16:38:09 UTC 
+++ This bug was initially created as a clone of Bug #89682 +++

As with anongit, please enable HTTPS on download.freedesktop.org, then projects like libnice can symlink their release directories into /srv/download.freedesktop.org/www/$project and have HTTPS for release downloads. This eliminates the possibility of downloads being MitMed and it not being detected because nobody ever manually checks SHA sums or signatures.
Comment 1 Daniel Stone 2016-02-15 14:34:24 UTC 
download.fd.o essentially only worked by accident, due to having a wildcard DNS entry (sigh). Does anyone actually still use it?
Comment 2 Tollef Fog Heen 2016-02-15 21:18:35 UTC 
We now have TLS enabled for www.freedesktop.org and projects can use /software there to store their packages.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.