https://bugs.kde.org/show_bug.cgi?id=387047
--- Comment #9 from RealDolos <do...@cock.li> --- Again, the issue is not kde infrastructure, it's digikam.org Steps to reproduce --- 1. google digikam 2. go to digikam.org 3. Click download button 4. Click one of the download links (which says https://download.kde.org in the tip, so secure, right?!) 5. File Save dialog pops up, so save the file 6. Look around on the download page ( https://www.digikam.org/download/ ) for some way of verifying the download. Find none 7. Look at the download, see was actually retrieved from some http-only unsecured mirror (I only saw it by accident). 8. Look again at the download page ( https://www.digikam.org/download/ ) for some way of verifying the download. Still find none Options for 9. 9.1. YOLO, just install the NSA-MITMed executables. 9.2. Throw away the download and don't use digikam at all because the file could have been bugged by the FSB-MITM. 9.3. Click around a lot, spend 30 minutes and get frustrated tracking down where on the kde.org sites the actual signatures are, even tho digikam.org clearly isn't kde.org. But if you're well educated and knowledgeable like I am (the best user ever!), I somehow know digikam and kde are related. 9.4. Do not even notice the file was not securely transmitted and is now bugged by the Chinese-MITM (all tooltips and the URL bar said https all the time, RIGHT?!), so install the botnet. 9.5 Phew, I got it from an https enabled mirror! Everything is good now! https://downloads.notspying.dontbeevil.dgse.fr/ would never do anything bad! 10. uh, I actually installed it in 9., and now all my monies were transmitted to some Nigerian Prince (his words) who runs the mirror I was redirected to and and shipped a malware executable instead of the real deal to me. Expected: --- Do 1. to 5. 6. Look around on the download page ( https://www.digikam.org/download/ ), read the warning to verify the download, find the signatures or links to the signatures on that very site. 7. Verify and install digikam. 8. Enjoy the software (hopefully) >All you need to do is append .sha1 or .sha256 and our systems will serve the >appropriate signature to you, directly, over HTTPS. This should provide a >reasonably secure channel to verify the tarballs have not been tampered with >by a mirror. Now I know that. However, eveybody else who googled and found digikam.org still does not. -- You are receiving this mail because: You are watching all bug changes.
