On Tue, May 25, 2021 at 05:14:41PM +0200, Manolo Díaz wrote: > > > On Tue, May 25, 2021 at 04:23:41PM +0200, Manolo Díaz wrote: > > > Package: popularity-contest > > > Version: 1.71 > > > Severity: wishlist > > > X-Debbugs-Cc: [email protected] > > > > > > Dear Maintainer, > > > > > > It seems that the site popcon.debian.org is HTTPS capable. Please > > > consider changing the SUBMITURLS variable inside the file default.conf > > > for use it by default. > > > Also, when https is used, does gpg add any privacy enhancement? > > > > Hello Manolo > > > > The server does not support https submission, https submissions > > are redirected to plain http. > > > > This is a feature: older systems reporting to popcon have a too old TLS > > library that is not compatible with modern https server. > > > > Also in the context of popcon, https has a major flaw in that > > it uses a certificate to identify the server, and identifying > > valid certificates is difficult. > > > > On the other hand GPG encryption with a static public key is much > > simpler and safer. > > > > It is easy for the server use a keyring with all the private decryption > > keys that correspond to the public encryption keys, even if it was last > > used 10 years ago. > > > > On the other hand it is not realistic for a https server to offer a > > 10-year old certificate becuase this is what older systems are > > expecting. > > > > Cheers, > > > Hello Bill, > > Thank you very much for the very detailed explanation.
Thanks, I will add it to the FAQ. Cheers, Bill.

