I've discovered that Debian and Ubuntu and maybe other distros distribute packages over HTTP and then verify the files using a key obtained through HTTPS, so that's another option.
Also, the book may not need to go over a secure channel if you expect that readers can verify themselves that instructions and commands are not guiding them to add a backdoor to their system, for example. At the very least, it should be the larger software and patches that the user can not be expected to audit for vulnerabilities that should be secured. And that may just involve securing the list of hashes. On Fri, Sep 7, 2018 at 3:00 PM <[email protected]> wrote: > Send website mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.linuxfromscratch.org/listinfo/website > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of website digest..." > > > Today's Topics: > > 1. Re: Fwd: Re: Suggestion to start using HTTPS (DJ Lucas) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 6 Sep 2018 19:18:37 -0500 > From: DJ Lucas <[email protected]> > To: [email protected] > Subject: Re: [website] Fwd: Re: Suggestion to start using HTTPS > Message-ID: <[email protected]> > Content-Type: text/plain; charset=utf-8; format=flowed > > > > On 09/06/2018 01:42 PM, Bruce Dubbs wrote: > > On 09/06/2018 01:01 PM, DJ Lucas wrote: > >>> People worry about encrypting http for > >>> downloads, but we also provide files via > >>> ftp like a lot of upstream does. Nobody > >>> seems to worry about that not being an > >>> encrypted connection. -- Bruce > >> > > Just adding this bit (modified) from offline conversation (now that I'm > sub'd). > > This is true, however, the concern is MIM attacks. With a proxy in the > middle, it's obvious if using https as you will get a big red warning in > your browser. The files themselves can be obtained unencrypted, and we > don't really care as we can verify form the hashes that were obtained > from the books, who's content was delivered over a secure channel and so > not modified, at least not in transit. > > --DJ > > > > ------------------------------ > > Subject: Digest Footer > > -- > http://lists.linuxfromscratch.org/listinfo/website > FAQ: http://www.linuxfromscratch.org/blfs/faq.html > Unsubscribe: See the above information page > > > ------------------------------ > > End of website Digest, Vol 123, Issue 1 > *************************************** >
-- http://lists.linuxfromscratch.org/listinfo/website FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
