[tz] Data loss on FTP Server
Paul Eggert
eggert at cs.ucla.edu
Wed Nov 1 06:39:55 UTC 2017
Zefram wrote:
> FWIW, I would not regard HTTPS in the absence of the PGP signature
> files as being secure against MitM attacks for this purpose.
Yes, quite right. HTTPS is not a cure-all. However, it is a significant security
improvement over FTP, which is why I'm recommending it.
As for shortcomings of the IANA tz HTTPS server, how about if we did the following:
1. Set up https://ftp.iana.org/tz so that it contains the same files that
ftp://ftp.iana.org/tz does, in the same locations. Where the FTP server contains
directories, the HTTPS: server can contain directory listings in the usual
Apache format.
2. Where the FTP server has a symbolic link, have the HTTPS server redirect via
an HTTP status code 307 (Temporary Redirect) response that points to the symlink
target, instead of simply being another name for the target. That way, it should
be easy to find out programmatically what the current version is: just retrieve
the "latest" URL and see what it redirects to.
(2) can be done with something like the recipe mentioned here:
https://stackoverflow.com/questions/16351271/apache-redirects-based-on-symlinks
More information about the tz
mailing list