Re: [Gimp-web] [Gimp-developer] WGO Update Status

From: Jehan Pagès <jehan marmottard gmail com>
To: Pat David <patdavid gmail com>
Cc: gimp-web-list <gimp-web-list gnome org>, gimp-developer <gimp-developer-list gnome org>
Subject: Re: [Gimp-web] [Gimp-developer] WGO Update Status
Date: Tue, 6 Oct 2015 17:19:16 +0200

Hi,

On Tue, Oct 6, 2015 at 4:52 PM, Pat David <patdavid gmail com> wrote:

Awesome feedback!  (I thrive on having a task list in front of me!) :D

On Mon, Oct 5, 2015 at 8:38 PM Jehan Pagès <jehan marmottard gmail com>
wrote:


Hi,

1/ Is it possible to force the download page at least to be https?
There are some companies which provides free certificates with root CA
in all mainstream browsers.

This would be a prerequisite to pretend to provide safe download. For
instance I see the page provides checksums, which is good but is half
meaningless if not provided through a secure channel like https (half
because it still allows download corruption check, but not malevolent
corruption integrity check).



I agree, but this is not a thing that I can do personally.  I'd refer to the
big gimper, schumaml to find out what the best course of action might be
here?  Not sure who best to obtain a cert through for our use.  If we do get


The most common CA giving free certs is startSSL: http://www.startssl.com/
The free certs are 1-year and no-wildcards only. But I'm thinking they
may offer help for a project such as GIMP and could provide some certs
with advanced features if we contact them.

Other than this, there is Let's Encrypt (https://letsencrypt.org/), a
project driven by Mozilla among other entities, which aims at
providing free certs for everyone. But their root certs are not yet in
any browser. Right now this is still in "test" state, thus not usable
by gimp.org. Yet we may keep an eye there.

one, then it would make more sense to simply use it across the entire site
when we implement.


Yes of course, it would be good to have it everywhere. But this may
not be mandatory everywhere. But for the download page, it has to, in
my opinion. In other words, going to http://static.gimp.org/downloads/
should be impossible and automatically redirect to
https://static.gimp.org/downloads/
This is a basic security mesure. If we allow access to a non-encrypted
version of the download page, this is like a house with a steel
security door and a wood broken door: malevolent people can still use
the wood broken door and the other door is as good as decoration. In
software terms, malevolent people can just do man-in-the-middle
attacks on the non-https page.

But yeah making https mandatory everywhere is even better and very
easy to do (that's a web server configuration).

Jehan


2/ Also still in the download page, could the download links for OS
which have any (Windows and OSX) be made into colorful buttons? I
believe this simplifies the download task.



Yes, absolutely.  Now that the porting is mostly done, I can start focusing
on styling elements of the page like the download links (they are cute
buttons on the current WGO, I'll aim for something in a similar vein for
SGO.



3/ If the exact Linux distribution (Fedora rightfully detected, for
instance in my case) has been detected, it would be good to have the
install information for this distrib at the top (and maybe even the
others hidden, unless clicking a "see all Linux distribution" link).



I think this is a good idea as well, and will look into expanding the
detection/show logic to capture more specific instances like this.



4/ As sad as it is (for someone like me whose first distribution was
Mandrake, later known as Mandriva), the Mandriva company has closed
this year. The website has been down for many weeks, thus even though
it has been saved many times in the last years, it seems that this
time, it is really the end. You may as well remove it from the list.


5/ I propose to add Mageia (which is a community fork of Mandriva,
born a few years ago) instead. Same install command as Mandriva.



I'm not sure if we want to remove mention of Mandriva completely for
historical reasons?  (I'm genuinely not sure - my first gut instinct is to
remove it for the reasons you've listed, and replace it with the Mageia
reference.  If anyone has a different thought let me know - otherwise I'm
going with your suggestion).



6/ For Fedora, yum is dead. The right install command is: "dnf install
gimp" (well yum will still work but will output a deprecation warning
and redirect to dnf). Of course, you may provide both commands if you
want to be as backward compatible as possible.



Thank you, I'll update accordingly!



7/ Mint is quite well spread too. I propose to add it to the "Ubuntu,
Debian" list. (Mint is mostly derived from Ubuntu, except for one
version derived from Debian)



I agree, and will add it to the list!  Thank you so much for taking the time
to have a look and provide detailed feedback!

References:
- [Gimp-web] WGO Update Status
  - From: Pat David
- Re: [Gimp-web] [Gimp-developer] WGO Update Status
  - From: Jehan Pagès
- Re: [Gimp-web] [Gimp-developer] WGO Update Status
  - From: Pat David

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]