[tz] Data loss on FTP Server

Paul Eggert eggert at cs.ucla.edu
Wed Nov 1 06:39:55 UTC 2017


Zefram wrote:
> FWIW, I would not regard HTTPS in the absence of the PGP signature
> files as being secure against MitM attacks for this purpose.

Yes, quite right. HTTPS is not a cure-all. However, it is a significant security 
improvement over FTP, which is why I'm recommending it.

As for shortcomings of the IANA tz HTTPS server, how about if we did the following:

1. Set up https://ftp.iana.org/tz so that it contains the same files that 
ftp://ftp.iana.org/tz does, in the same locations. Where the FTP server contains 
directories, the HTTPS: server can contain directory listings in the usual 
Apache format.

2. Where the FTP server has a symbolic link, have the HTTPS server redirect via 
an HTTP status code 307 (Temporary Redirect) response that points to the symlink 
target, instead of simply being another name for the target. That way, it should 
be easy to find out programmatically what the current version is: just retrieve 
the "latest" URL and see what it redirects to.

(2) can be done with something like the recipe mentioned here:

https://stackoverflow.com/questions/16351271/apache-redirects-based-on-symlinks



More information about the tz mailing list