| Summary: | Insecure download for pre-built Krita (especially the beta version) | ||
|---|---|---|---|
| Product: | [Applications] krita | Reporter: | Vitaly "_Vi" Shukela <vi0oss> |
| Component: | General | Assignee: | Krita Bugs <krita-bugs-null> |
| Status: | RESOLVED NOT A BUG | ||
| Severity: | normal | CC: | griffinvalley, halla |
| Priority: | NOR | ||
| Version First Reported In: | unspecified | ||
| Target Milestone: | --- | ||
| Platform: | unspecified | ||
| OS: | All | ||
| URL: | https://krita.org/download/krita-desktop/ | ||
| Latest Commit: | Version Fixed/Implemented In: | ||
| Sentry Crash Report: | |||
|
Description
Vitaly "_Vi" Shukela
2016-05-15 22:15:58 UTC
If you add .mirrorlist to the end of the url you get all that info: http://files.kde.org/krita/3/linux/devbuilds/krita-3.0-Beta-master-562442e-x86_64.appimage.mirrorlist Then links to those mirrorlists should be visible on download page, like this: * Linux Bleeding Edge Appimage Download <small>(mirros and checksums)</small> * Linux Bleeding Edge Appimage Download (legacy distros) <small>(mirros and checksums)</small> Also your link to mirrorlist is HTTP (not HTTPS). It means checksums may be also faked. Changing the link to https makes 404. We do not maintain files.kde.org, so there is nothing we can do about it. The KDE system administrators are moving all sites to https, but they're not done yet. I've talked to the system administrators. The problem is that files.kde.org is a redirector to mirror services, and that doesn't play well with https. As for the sha1sums, whenever I add them to the release announcements I get confused mails from users asking me what they should do with them... One more idea: include magnet links. A file downloaded from magnet link (obtained securely, of course) should be secure. |