Updating the path to the Windows installer in the setup instructions

[gvwilson]

Fixing link to installer after merging #480.

[wking]

On Mon, May 12, 2014 at 08:35:25AM -0700, Greg Wilson wrote:

• Updating the path to the Windows installer in the setup instructions

Now that we're asking folks to use a binary installer (harder to
audit), it's probably a good idea to use HTTPS and post a checksum so
folks can check that the installer they're running hasn't been
surreptitiously replaced with some nefarious impersonator.

I'm not sure what hashing programs Windows supports out of the box,
but msysGit comes with md5sum. Not the greatest hash, but between
that and HTTPS, it may be sufficiently secure.

[gvwilson]

Good idea (and one I should have thought of. Can you please PR:

1. a change to the installation instructions to include the MD5 and
   switch the link to HTTPS, and
2. a short note in the lead instructor checklist in the site repo
   explaining how to verify the MD5?

I don't think it's realistic to ask all the learners to verify the MD5
(especially not before the bootcamp starts), so getting the lead
instructor to do it seems like the best alternative (?).

[ethanwhite]

On Tue, May 13, 2014 at 6:26 AM, Greg Wilson notifications@github.com wrote:

I don't think it's realistic to ask all the learners to verify the MD5
(especially not before the bootcamp starts), so getting the lead
instructor to do it seems like the best alternative (?).

+1

[wking]

On Tue, May 13, 2014 at 03:26:40AM -0700, Greg Wilson wrote:

Good idea (and one I should have thought of. Can you please PR:
[snip suggestions]

Sure. Should I PR against gvwilson:updating-windows-installer-path so
you can merge them here before this lands?

1. a short note in the lead instructor checklist in the site repo
   explaining how to verify the MD5?

Where should this live? setup/windows-installer/README.md with a link
from novice/teaching/01-general.md?

I don't think it's realistic to ask all the learners to verify the
MD5 (especially not before the bootcamp starts), so getting the lead
instructor to do it seems like the best alternative (?).

Is the lead instructor going to talk the class through it? Or tell
them to not run the installer before they show up for the workshop,
and then go around and check MD5s on everyone's installer? Neither of
those seem particularly likely to me.

It wasn't realistic before to expect them to look through the script
looking for exploits. The point is that they should be checking
these sorts of things eventually, even if they don't know how yet. We
need to at least provide the tools for them to do so if they want. If
they follow through and use the suggested check, then good on them.
If they feel it's an acceptable risk to ignore the checks, it's their
computer. I'm fine just posting the MD5 and leaving it up to them.

[gvwilson]

I would like to go ahead and merge this one, then get a separate PR with the checksum and instructions on checking it - any objections? (cf. #496)

[ethanwhite]

+1 to merge.

On Sunday, May 18, 2014, Greg Wilson notifications@github.com wrote:

I would like to go ahead and merge this one, then get a separate PR with
the checksum and instructions on checking it - any objections? (cf. #496#496
)

—
Reply to this email directly or view it on GitHubhttps://github.com//pull/488#issuecomment-43437872
.

[wking]

On Sun, May 18, 2014 at 04:49:23AM -0700, Greg Wilson wrote:

I would like to go ahead and merge this one, then get a separate PR
with the checksum and instructions on checking it - any objections?

It looks like we're missing “official” certs for HTTPS:

$ wget https://files.software-carpentry.org/SWCarpentryInstaller.exe
--2014-05-20 09:10:38-- https://files.software-carpentry.org/SWCarpentryInstaller.exe
Resolving files.software-carpentry.org... 174.136.14.108
Connecting to files.software-carpentry.org|174.136.14.108|:443... connected.
ERROR: cannot verify files.software-carpentry.org's certificate, issued by ‘/C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=vps1.sensibleadventures.com/emailAddress=ssl@vps1.sensibleadventures.com’:
Self-signed certificate encountered.
ERROR: certificate common name ‘vps1.sensibleadventures.com’ doesn't match requested host name ‘files.software-carpentry.org’.
To connect to files.software-carpentry.org insecurely, use `--no-check-certificate'.

$ wget https://software-carpentry.org/
--2014-05-20 09:18:09-- https://software-carpentry.org/
Resolving software-carpentry.org... 174.136.14.108
Connecting to software-carpentry.org|174.136.14.108|:443... connected.
ERROR: cannot verify software-carpentry.org's certificate, issued by ‘/C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=vps1.sensibleadventures.com/emailAddress=ssl@vps1.sensibleadventures.com’:
Self-signed certificate encountered.
ERROR: certificate common name ‘vps1.sensibleadventures.com’ doesn't match requested host name ‘software-carpentry.org’.
To connect to software-carpentry.org insecurely, use `--no-check-certificate'.

Does this deserve a separate issue, or can I tack it on here?

[gvwilson]

Please file a separate issue, and I'll ask Mozilla to generate a real cert.