Ren Siyuan <netheril96@xxxxxxxxx> on Sun, 2014/10/12 22:52: > I am trying to download a version of OpenSSH newer than the one > preinstalled with my OS. But sadly I find that I can only download it > through *unsecured* plain http/ftp/rsync protocol, vulnerable to attacks by > anyone in the network path. It is odd that *the* software about security > and encryption across untrusted network is distributed to everyone > insecurely and not encrypted. Is there any future plan to distribute > OpenSSH over secured channel, such as https? OpenSSH development team provides GPG signature for their source tarballs. So download the tarball with whatever (unsecure) protocol you prefer, download the gpg signature file (ending .asc) and verify with gpg: % gpg --verify openssh-6.7p1.tar.gz.asc gpg: Signature made Mon 06 Oct 2014 05:40:59 AM CEST using RSA key ID 6D920D30 gpg: Good signature from "Damien Miller <djm@xxxxxxxxxxx>" [unknown] Primary key fingerprint: 59C2 118E D206 D927 E667 EBE3 D3E5 F56B 6D92 0D30 HTTPS does provide secure data transfer, but does not guaranty data is what developers intended to provide. If you download a compromised source tarball via HTTPS it is still compromised. -- Schoene Gruesse Chris O< ascii ribbon campaign stop html mail - www.asciiribbon.org
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev