On 8/22/16 8:23 PM, Richard Stanway wrote: > See https://nginx.org/en/linux_packages.html#stable > > PGP key links are hard coded to http URLs: > > <p> > For Debian/Ubuntu, in order to authenticate the nginx repository > signature > and to eliminate warnings about missing PGP key during installation > of the > nginx package, it is necessary to add the key used to sign the nginx > packages and repository to the <code>apt</code> program keyring. > Please download <a href="http://nginx.org/keys/nginx_signing.key";>this > key</a> from our web site, and add it to the <code>apt</code> > program keyring with the following command: > </p> > Yes, I see. It should be fixed. Thanks.
> On Mon, Aug 22, 2016 at 7:19 PM, Maxim Konovalov <ma...@nginx.com > <mailto:ma...@nginx.com>> wrote: > > On 8/22/16 8:15 PM, Richard Stanway wrote: > > Could you at least fix the https download page, so it doesn't > > directly link to a HTTP PGP key? > > > It works correctly: https://nginx.org/en/download.html > <https://nginx.org/en/download.html> > > > On Mon, Aug 22, 2016 at 6:49 PM, Maxim Konovalov <ma...@nginx.com > <mailto:ma...@nginx.com> > > <mailto:ma...@nginx.com <mailto:ma...@nginx.com>>> wrote: > > > > On 8/22/16 7:41 PM, B.R. wrote: > > > The problem is, if the GPG key is served through HTTP, > there is no > > > way to authenticate it, since it could be compromised > through > > MITM. > > > I am very surprised to see myself being qualified as 'HTTPS > > despot' > > > when I just spot the obvious. > > > > > But it does not -- our PGP key distributed through a number of > > channels, including HTTPS. Problem solved, case closed? > > > > > Compromised repository + GPG key is one very powerful way of > > > impersonating another product. > > > > > > TLS provides both encryption and authentication, based > on the > > > initial shared circle of trust. > > > Thus you certify the GPG key is authentic and thus, if > it verifies > > > the binaries, you ensure the delivered package are > produced by the > > > owner of the key, in the end the real author. > > > > > > In 2016, stating that content served over HTTP is 'secure' > > blows my > > > mind and kills your credibility. > > > > > Who did that? What's his name? > > > > > Now, as Richard pointed out, if you truly believe you > need to > > > provide HTTP-only, you can. It would be better if it was > in a very > > > visible fashion, though. > > > Where was despotism, again? > > > > nginx.org <http://nginx.org> <http://nginx.org> already > has HTTPS therefore it is > > not HTTP-only. > > > > > --- > > > *B. R.* > > > > > > On Mon, Aug 22, 2016 at 5:40 PM, Richard Stanway > > > <r1ch+ng...@teamliquid.net > <mailto:r1ch%2bng...@teamliquid.net> > <mailto:r1ch%2bng...@teamliquid.net > <mailto:r1ch%252bng...@teamliquid.net>> > > <mailto:r1ch+ng...@teamliquid.net > <mailto:r1ch%2bng...@teamliquid.net> > > <mailto:r1ch%2bng...@teamliquid.net > <mailto:r1ch%252bng...@teamliquid.net>>>> wrote: > > > > > > 1. You could provide insecure.nginx.org > <http://insecure.nginx.org> > <http://insecure.nginx.org> > > > <http://insecure.nginx.org> mirror for such people, make > > > nginx.org <http://nginx.org> <http://nginx.org> > <http://nginx.org> secure by > > default. > > > > > > 2. Modern server CPUs are already extremely energy efficient, > > > TLS adds negligible load. See https://istlsfastyet.com/ > > > > > > > > > > > > On Mon, Aug 22, 2016 at 12:31 PM, Valentin V. Bartenev > > > <vb...@nginx.com <mailto:vb...@nginx.com> > <mailto:vb...@nginx.com <mailto:vb...@nginx.com>> > <mailto:vb...@nginx.com <mailto:vb...@nginx.com> > > <mailto:vb...@nginx.com <mailto:vb...@nginx.com>>>> wrote: > > > > > > On Sunday 21 August 2016 15:56:09 B.R. wrote: > > > > It is surprising, since I remember Ilya Grigorik made a > talk about TLS > > > > during the first ever nginx conf in 2014: > > > > https://www.youtube.com/watch?v=iHxD-G0YjiU > <https://www.youtube.com/watch?v=iHxD-G0YjiU> > > <https://www.youtube.com/watch?v=iHxD-G0YjiU > <https://www.youtube.com/watch?v=iHxD-G0YjiU>> > > > <https://www.youtube.com/watch?v=iHxD-G0YjiU > <https://www.youtube.com/watch?v=iHxD-G0YjiU> > > <https://www.youtube.com/watch?v=iHxD-G0YjiU > <https://www.youtube.com/watch?v=iHxD-G0YjiU>>> > > > > https://istlsfastyet.com/ > > > > > > It's just Ilya's opinion. You are free to agree or not. > > > > > > > > > > > > > > Thus, there is no reason for not going full-HTTPS in > delivering Web pages. > > > > > > There are at least two reasons to not use HTTPS: > > > > > > 1. Provide easy access to information for people, who > can't > > > use encryption > > > by political, legal, or technical reasons. > > > > > > 2. Don't waste resources on encryption, and thus save our > > > planet. > > > > > > Please, don't be a TLS despot and let people to have a > > > choice to use encryption > > > or not. > > > > > > I think the situation when I can't download new version of > > > OpenSSL using old > > > version of OpenSSL is ridiculous, but they have configured > > > openssl.org <http://openssl.org> > <http://openssl.org> <http://openssl.org> > > that way. > > > How I supposed to use Internet then? > > > > > > wbr, Valentin V. Bartenev > > > > > > > > > -- > > Maxim Konovalov > > Join us at nginx.conf, Sept. 7-9, Austin, TX: > > http://nginx.com/nginxconf > > > > _______________________________________________ > > nginx mailing list > > nginx@nginx.org <mailto:nginx@nginx.org> <mailto:nginx@nginx.org > <mailto:nginx@nginx.org>> > > http://mailman.nginx.org/mailman/listinfo/nginx > <http://mailman.nginx.org/mailman/listinfo/nginx> > > <http://mailman.nginx.org/mailman/listinfo/nginx > <http://mailman.nginx.org/mailman/listinfo/nginx>> > > > > > > > > > > _______________________________________________ > > nginx mailing list > > nginx@nginx.org <mailto:nginx@nginx.org> > > http://mailman.nginx.org/mailman/listinfo/nginx > <http://mailman.nginx.org/mailman/listinfo/nginx> > > > > > -- > Maxim Konovalov > Join us at nginx.conf, Sept. 7-9, Austin, TX: > http://nginx.com/nginxconf > > _______________________________________________ > nginx mailing list > nginx@nginx.org <mailto:nginx@nginx.org> > http://mailman.nginx.org/mailman/listinfo/nginx > <http://mailman.nginx.org/mailman/listinfo/nginx> > > > > > _______________________________________________ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -- Maxim Konovalov Join us at nginx.conf, Sept. 7-9, Austin, TX: http://nginx.com/nginxconf _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
