Hi Greg,The actual package downloads are GPG signed, and Webmin will verify updates done from within the UI by checking the signature before installing. Also, the downloads from sourceforge are protected by SSL.
On 15/May/2017 11:02 lis...@sl... wrote .. I'm quite surprised that the webmin site and downloads aren't SSL/TLS secure. [And that you're still using MD5 for hashes?] I know time is valuable and things get put off, but I'm exceptionally wary about downloading and/or installing from sources that aren't secure! How is it that webmin isn't doing this now? [And I guess I should ask, is the update mechanism secure? It would be pretty trivial for someone to take over servers with a MITM "update" and download that wasn't secure.] Could someone describe the update process, if you consider it secure? -Greg
|
