> On Tue, May 25, 2021 at 04:23:41PM +0200, Manolo Díaz wrote: > > Package: popularity-contest > > Version: 1.71 > > Severity: wishlist > > X-Debbugs-Cc: deb...@pleione.es > > > > Dear Maintainer, > > > > It seems that the site popcon.debian.org is HTTPS capable. Please > > consider changing the SUBMITURLS variable inside the file default.conf > > for use it by default. > > Also, when https is used, does gpg add any privacy enhancement? > > Hello Manolo > > The server does not support https submission, https submissions > are redirected to plain http. > > This is a feature: older systems reporting to popcon have a too old TLS > library that is not compatible with modern https server. > > Also in the context of popcon, https has a major flaw in that > it uses a certificate to identify the server, and identifying > valid certificates is difficult. > > On the other hand GPG encryption with a static public key is much > simpler and safer. > > It is easy for the server use a keyring with all the private decryption > keys that correspond to the public encryption keys, even if it was last > used 10 years ago. > > On the other hand it is not realistic for a https server to offer a > 10-year old certificate becuase this is what older systems are > expecting. > > Cheers,
Hello Bill, Thank you very much for the very detailed explanation. Best Regards, -- Manolo Díaz
