| Summary: | website www.spice-space.org: downloads are not secured at all | ||
|---|---|---|---|
| Product: | Spice | Reporter: | Christian Stadelmann <frdsktp> |
| Component: | RFE (general) | Assignee: | Spice Bug List <spice-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | critical | ||
| Priority: | medium | CC: | teuf |
| Version: | unspecified | ||
| Hardware: | Other | ||
| OS: | All | ||
| Whiteboard: | |||
| i915 platform: | i915 features: | ||
|
Description
Christian Stadelmann
2016-07-05 22:04:38 UTC
(In reply to Christian Stadelmann from comment #0) > Currently, the website http://www.spice-space.org/ is not encrypted nor does > it provide any signatures for downloads. This is an easy target for > man-in-the-middle-attacks. > > Please > 1. make this site available through HTTPS (and only HTTPS) Yes, having https access has been on the TODO for a while > 2. provide gpg signatures for downloads Some downloads do have GPG signatures, see the .sig/.sign files on http://www.spice-space.org/download/releases/ , I agree this should be done for all new releases, which is far from being the case currently I don't know if it can help. Somebody suggested this service to me https://letsencrypt.org/about/. But probably we can get a certificate from RedHat. https://www.spice-space.org/download/ can now be accessed through https. There is one remaining issue with https://spice-space.org/download/ which uses an invalid certificate. We are trying to fix that. |
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.