Bernhard - this is an issue of security, it is not a place for you to
exercise corruption by using your influence over administrators to shut down
opinions you disagree with.

You have made a statement that I am absolutely confident that no security
professional will support: "We will keep the non-TLS access, because there
are some people that will lose access otherwise.". Aside form this
statement being almost certainly totally untrue, this is nevertheless NOT a
valid reason to continue to distribute a security product over known
compromiseable channels. If anyone cannot get GPG because of TLS (which I
doubt), that is NOT a reason to for everyone to get GPG over an insecure
channel. Like I've said before, security-downgrade attacks are the most
effective weapon used by adversaries. Do not make is so easy for them.

Let me suggest a resolution to this problem, since we seem to be at a
stalemate:

Let us pick a security professional who is known and trusted. You can write
down your case for why you do not want to use TLS, and I will write down my
case why I want TLS to be mandatory, and we will each give our cases to this
professional.

If they pick your case, I will let you close this ticket and I will not come
back.

If they pick my case, you will resign from the GnuPG project and not come
back.

Deal?

This is still open: http://files.gpg4win.org/gpg4win-2.2.6.exe
So this stays open: T1858

Mate - it's this simple. For as long as you're distributing a security
product over plaintext insecure channels, this bug needs to stay open.

TLS will NOT prevent anyone downloading this, no matter how hard you cling
to that irrational idea. If you work for someone who is exploiting this
attack vector SHAME ON YOU!!!

Stop wasting everyones time. If you don't want to fix this, go away and do
something else, stop preventing someone who *can* fix it from actually doing
that by messing with this ticket.

"We will keep the non-TLS access, because there are some people
that will lose access otherwise."

LOL

You know that GnuPG is a security product, right?

I challenge your assumption. Nobody will loose access, but securing
downloads will make EVERYONE mass-loads safer.

Heck dude - there's this search engine, maybe you've heard of it? It's
called GOOGLE. They make you use this thing, maybe you've heard of it too?
It's called TLS.

Just get rid of the unsafe stuff Bernhard, this isn't a game, peoples lives
really do balance on this stuff. Start acting responsibly.

Sounds like a plan!

Get rid of all the insecure delivery mechanisms ( e.g.
http://files.gpg4win.org/gpg4win-2.2.6.exe ), which you can now safely do
because you've got secure ones (well done), then (and only then) you can
close this bug!

For as long as easy MitM can substitute traffic, signing the EXE is a
pointless waste of time.

This is still open: http://files.gpg4win.org/gpg4win-2.2.6.exe
So this stays open: T1858

This is still open: http://files.gpg4win.org/gpg4win-2.2.6.exe
So this stays open: T1858

You said: "TAKE THIS TO A MAILING LIST"
You then said: "I have see your post."
You are behaving with extreme deception and dishonesty.
Leave this issue to someone else - your emotions have destroyed your
objectivity.

Stop closing this bug.
I did take this to the list.
You or whoever runs/moderates it is blocking my post.

DO NOT CLOSE THIS until such time as windows users are prevented from
getting your security solution over totally insecure channels.

This is not a game you know - it's an almost absolute certainty that your
careless security attitude will GET PEOPLE KILLED.

Let the person who fixes the insecure distribution problem be the one who
closes this bug. It is not appropriate that your ego needs to win some
puerile argument at the expense of other peoples safety and lives.

I checked. Here are some inconvenient "facts" for you:

http://gpg4win.org/download.html
http://files.gpg4win.org/gpg4win-2.2.6.exe
http://files.gpg4win.org/gpg4win-2.2.6.exe.sig

https://www.gnupg.org/download/mirrors.html *
There is NOT EVEN ONE SINGLE SSL LINK on the above page!!!!!

Dude - you need to take yourself off this project. If you are more
interested in winning some stupid pride fight than protecting users of a
security product, you deserve no place on the team.

Let me quote YOUR OWN WORDS back to you:
" Instead of providing a not very secure HTTPS access to the files... "

You work on a security product, and you expect us to accept that because you
somehow believe the same security that protects every single other thing on
the web is "not very secure", that it's all fine and hunky-dory for you to
distribute yours over PLAIN UNAUTHENTICATED TEXT, and to expect us to USE
this unauthenticated code to verify it's own sigantures, which also come the
same way (http://files.gpg4win.org/gpg4win-2.2.6.exe.sig)

Here's some more facts - just one tiny list...

ftp://ftp.gnupg.ca/
ftp://ftp.ring.gr.jp/pub/net/gnupg/
http://www.ring.gr.jp/pub/net/gnupg/
ftp://gd.tuwien.ac.at/privacy/gnupg/
http://gd.tuwien.ac.at/privacy/gnupg/
ftp://mirrors.dotsrc.org/gcrypt/
http://mirrors.dotsrc.org/gcrypt/
ftp://ftp.jyu.fi/pub/crypt/gcrypt/
ftp://mirror.cict.fr/gnupg/

http://artfiles.org/gnupg.org
ftp://ftp.franken.de/pub/crypt/mirror/ftp.gnupg.org/gcrypt/

ftp://ftp.freenet.de/pub/ftp.gnupg.org/gcrypt/

http://ftp.heanet.ie/mirrors/ftp.gnupg.org/gcrypt/

...

and the list snakes on

Do not close this bug. Your emotions are too heated to be rational now.

gpg itself, and all it's SHA sums, and all your keys, are being distributed
over unauthenticated plain-text channels which are 100% vulnerable to
undetectable modification in transit.

There is NO EXCUSE for any security product to be distributed in such a
blatantly irresponsible way.

EVERY PLAINTEXT ENDPOINT NEEDS TO BE SHUT DOWN

You stated that you deliberately used a self-signed SSL cert instead of
buying one, because, in your own words, "The X.509 system is broken beyond
repair."

That is a political reason, and is has reduced user security. Using non-
working SSL reduces security - you do know that, don't you?

The *reason* security gets "broken beyond repair", is because too many
people change mistakes into "notbug" and never fix stuff.

Bite your tongue, swallow your pride, spend the $3.50 and just buy a
certificate mate.

This conversation is going to get read by other people in future, you decide
next what you want them to think about you.

In what other ways have you "on purpose" reduced the security of your users
for tin-foil-hat political reasons I wonder?

Buy the cert. It's, like, $3.50 (comodo), or if you really want to splurge,
$49 for unlimited number of domains and SANs and wildcards and whatever else
tickles your fancy (startssl)

You need to perform the bigmath modexp routines in constant time, the same as the
smartcard people do to stop key theft via power usage observation.