https://bugs.kde.org/show_bug.cgi?id=387047
RealDolos <do...@cock.li> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |UNCONFIRMED
Resolution|INVALID |---
--- Comment #4 from RealDolos <do...@cock.li> ---
digikam.org is the authoritative source of downloads for a lot of people.
As such it is YOUR obligation to provide at the very least hashes, even better
signatures (e.g. gpg) and/or code-signed binaries (which would solve the issue
of a compromised digikam.org server, too)
>The digikam.org do not host any files to download from client side.
>All is stored and mirrored by kde.org. That all.
That's exactly the problem. When downloading digikam, it will not be downloaded
from https://digikam.org/ (secured by TLS), but instead it will be downloaded
from some KDE mirror (most likely over an unencrypted channel and therefore
subject to man-in-the-middle attacks).
The only way to verify the download is not tampered with or corrupted during
transfer is some form of checksum/signature, which is not readily available
from digikam.org.
> We (digiKam team) have no way to change that.
Yes, you do, by stating cryptographic hashes or signatures of known-good
release files on https://www.digikam.org/download/
Just like about every other open source product does these days.
--
You are receiving this mail because:
You are watching all bug changes.
