https://bugs.kde.org/show_bug.cgi?id=387047
Bug ID: 387047
Summary: Easily accessible signatures
Product: digikam
Version: unspecified
Platform: Other
OS: All
Status: UNCONFIRMED
Severity: major
Priority: NOR
Component: Website
Assignee: digikam-bugs-n...@kde.org
Reporter: do...@cock.li
Target Milestone: ---
digikam.org doesn't list any signatures and/or cryptographic hashes to verify
downloads.
This is kinda crucial since the kde download site automatically redirects to
mirrors, operated by third parties and more often than not using unencrypted
protocols (http, ftp). So in this scenario I'd have to trust three and more
parties, only one of which is digiKam/KDE:
1) digiKam
2) The operator of the mirror (I'm sure "klaus-uwe" running
"mirror.klaus-uwe.me" is a nice guy, but maybe he is not).
3) Anybody in a MITM position, so my ISP, their ISP, internet exchanges, the
NASA, the KGB, the Mossad, the BUND...err...BND, Al Gore (who invented the
Internet), some guy calls Nils K. who keeps spying on me although he denies
this, etc.
At the very least *prominently* enough provide signatures and/or cryptographic
hashes I can verify*.
* (After some random clicking around I found that All Downloads/Metadata
actually shows hashes)
--
You are receiving this mail because:
You are watching all bug changes.
