HTTPS on dl.nwjs.io #3062
Comments
|
related: nwjs/npm-installer#2 |
|
Hi, any progress on this? You could just sign the builds with PGP and publish your keys. Alternatively, you could simply post the SHA-256 hashes right here on GitHub. There are many ways to do it. Right now the only way to use NW.js securely is to build it from source. |
|
Will look to fix this soon. |
|
+1 for this. Currently I am taking effort to provide a public mirroring for nw.js, but I find that every previous upstream source uses HTTPS, some also provides signatures to verify with, which will prevent most of the tampering, but nw.js doesn't. So the plan is put on hold. |
|
This is now supported. https://dl.nwjs.io |
|
@rogerwang Thanks! Glad to tell you that nw.js has a mirror at https://npm.taobao.org/mirrors/nwjs/ now, which is synchronized from Amazon S3 via HTTPS :) |
|
Thank you! |
|
@evshiron thanks. but please use dl.nwjs.io. Do NOT use S3. |
|
@rogerwang The mix of Apache DirectoryIndex and Amazon S3 Bucket is somewhat confusing and hard to synchronize with. |
|
OK. It LGTM for now after checking the mirror script. Thanks. |
Currently, the only way to download NW.js is over an insecure HTTP connection. Most projects provide either an HTTPS download link, or PGP signatures that let you verify that what you downloaded hasn't been tampered with. It would be great if dl.nwjs.io supported HTTPS or provided signatures.
Some general background on the risks with using insecure HTTP: http://mashable.com/2011/05/31/https-web-security/
Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.
The text was updated successfully, but these errors were encountered: