On Tue, Oct 6, 2015 at 4:52 PM, Pat David <patda...@gmail.com> wrote:
> Awesome feedback!  (I thrive on having a task list in front of me!) :D
> On Mon, Oct 5, 2015 at 8:38 PM Jehan Pagès <jehan.marmott...@gmail.com>
> wrote:
>> Hi,
>> 1/ Is it possible to force the download page at least to be https?
>> There are some companies which provides free certificates with root CA
>> in all mainstream browsers.
>> This would be a prerequisite to pretend to provide safe download. For
>> instance I see the page provides checksums, which is good but is half
>> meaningless if not provided through a secure channel like https (half
>> because it still allows download corruption check, but not malevolent
>> corruption integrity check).
> I agree, but this is not a thing that I can do personally.  I'd refer to the
> big gimper, schumaml to find out what the best course of action might be
> here?  Not sure who best to obtain a cert through for our use.  If we do get

The most common CA giving free certs is startSSL: http://www.startssl.com/
The free certs are 1-year and no-wildcards only. But I'm thinking they
may offer help for a project such as GIMP and could provide some certs
with advanced features if we contact them.

Other than this, there is Let's Encrypt (https://letsencrypt.org/), a
project driven by Mozilla among other entities, which aims at
providing free certs for everyone. But their root certs are not yet in
any browser. Right now this is still in "test" state, thus not usable
by gimp.org. Yet we may keep an eye there.

> one, then it would make more sense to simply use it across the entire site
> when we implement.

Yes of course, it would be good to have it everywhere. But this may
not be mandatory everywhere. But for the download page, it has to, in
my opinion. In other words, going to http://static.gimp.org/downloads/
should be impossible and automatically redirect to
This is a basic security mesure. If we allow access to a non-encrypted
version of the download page, this is like a house with a steel
security door and a wood broken door: malevolent people can still use
the wood broken door and the other door is as good as decoration. In
software terms, malevolent people can just do man-in-the-middle
attacks on the non-https page.

But yeah making https mandatory everywhere is even better and very
easy to do (that's a web server configuration).


>> 2/ Also still in the download page, could the download links for OS
>> which have any (Windows and OSX) be made into colorful buttons? I
>> believe this simplifies the download task.
> Yes, absolutely.  Now that the porting is mostly done, I can start focusing
> on styling elements of the page like the download links (they are cute
> buttons on the current WGO, I'll aim for something in a similar vein for
> SGO.
>> 3/ If the exact Linux distribution (Fedora rightfully detected, for
>> instance in my case) has been detected, it would be good to have the
>> install information for this distrib at the top (and maybe even the
>> others hidden, unless clicking a "see all Linux distribution" link).
> I think this is a good idea as well, and will look into expanding the
> detection/show logic to capture more specific instances like this.
>> 4/ As sad as it is (for someone like me whose first distribution was
>> Mandrake, later known as Mandriva), the Mandriva company has closed
>> this year. The website has been down for many weeks, thus even though
>> it has been saved many times in the last years, it seems that this
>> time, it is really the end. You may as well remove it from the list.
>> 5/ I propose to add Mageia (which is a community fork of Mandriva,
>> born a few years ago) instead. Same install command as Mandriva.
> I'm not sure if we want to remove mention of Mandriva completely for
> historical reasons?  (I'm genuinely not sure - my first gut instinct is to
> remove it for the reasons you've listed, and replace it with the Mageia
> reference.  If anyone has a different thought let me know - otherwise I'm
> going with your suggestion).
>> 6/ For Fedora, yum is dead. The right install command is: "dnf install
>> gimp" (well yum will still work but will output a deprecation warning
>> and redirect to dnf). Of course, you may provide both commands if you
>> want to be as backward compatible as possible.
> Thank you, I'll update accordingly!
>> 7/ Mint is quite well spread too. I propose to add it to the "Ubuntu,
>> Debian" list. (Mint is mostly derived from Ubuntu, except for one
>> version derived from Debian)
> I agree, and will add it to the list!  Thank you so much for taking the time
> to have a look and provide detailed feedback!
gimp-web-list mailing list

Reply via email to