Can you please provide downloads over HTTPS/TLS?
Comment From: mattsta
You can use the tagged releases at https://github.com/antirez/redis/releases for https downloads.
Comment From: naftulikay
@mattsta Great. I'm willing to close, but it would be really advisable to provide these links over at redis.io/downloads.
Comment From: pilwon
Agreed to @rfkrocktk's comment. HTTPS should really be supported at download.redis.io that is where the official download page links to. (instead of GitHub releases page) Also, the GitHub releases page is missing a tag equivalent to redis-stable. (redis-stable.tar.gz)
Comment From: mstewartgallus
HTTPS would be nice to prevent hackers monitoring what files one downloads but Redis already provides hashes of the files over HTTPS so the files can still be verified to be correct securely.
Comment From: naftulikay
HTTPS is a bare minimum for these things, hopefully we'll also see PGP-signed tarballs so that we can be sure of where they come from, as mentioned in #1731, which was closed without resolution.
Comment From: jbergstroem
I guess a simple effort that plays closer to this would be sha1sums for tarballs at this page: http://redis.io/download
Comment From: naftulikay
SHA sums don't guarantee authenticity, they only guarantee integrity, an important distinction. They can just as easily be forged.
A PGP signature guarantees both authenticity and integrity, meaning I know that it was created by the one in possession of the private key, e.g.the Redis team. On Jun 30, 2014 7:05 PM, "Johan Bergström" notifications@github.com wrote:
I guess a simple effort that aids with this would be sha1sums for tarballs at this page: http://redis.io/download
— Reply to this email directly or view it on GitHub https://github.com/antirez/redis/issues/1730#issuecomment-47609433.
Comment From: jbergstroem
@rfkrocktk Yes, that's right. I didn't suggest to replace your original request, rather an effort that perhaps could be closer at hand.
Comment From: OriginalPenguin
This seems more important than ever. If it's not something that will be fixed, maybe the Github release should be the default for 3.0.x on http://redis.io/download
Weirdly enough that page uses the github version for 2.8.22 but not 3.0.4.
Comment From: antirez
Given that SHAs are stored at Github, you can have proof of authenticity, at least under the assumption that I'm in control of my Github account. Note that anyway authenticity is not better provided with HTTPS since it is possible to crack the sever and change the binaries to something else. The current setup is better than just SSL, the only thing that would be better than what we have in place now, would be PGP signed binaries since to impersonate me one would need to find the private key and obtain the passphrase.
Comment From: OriginalPenguin
I agree that the current setup is better than just SSL, but I still think adding SSL would be an improvement.
It's great that the sha1s are available, and PGP signed binaries would also be great.
But most people won't bother checking the sha1s or the PGP binaries.
Although adding SSL doesn't solve any security issues, it certainly would offer a marginal improvement, with no downside, besides a few minutes of configuration of the webserver. I'd even be willing to pay for the first year of the ssl certificate, if cost is an issue.
Comment From: OriginalPenguin
By the way, it's probably time to move to something else besides sha1. Maybe sha256?
https://sites.google.com/site/itstheshappening/
Comment From: r4co0n
Is there a chance of this happening at some point? If not, you might as well close this very old issue to make this clear for anyone wondering. It should be noted that redis is now one of very few applications where the upstream does not provide a possibility for download via https - At least in my recipes it's a unicorn...
Comment From: yossigo
All links are https for some time already, closing.