Zefram wrote:
FWIW, I would not regard HTTPS in the absence of the PGP signature files as being secure against MitM attacks for this purpose.
Yes, quite right. HTTPS is not a cure-all. However, it is a significant security improvement over FTP, which is why I'm recommending it. As for shortcomings of the IANA tz HTTPS server, how about if we did the following: 1. Set up https://ftp.iana.org/tz so that it contains the same files that ftp://ftp.iana.org/tz does, in the same locations. Where the FTP server contains directories, the HTTPS: server can contain directory listings in the usual Apache format. 2. Where the FTP server has a symbolic link, have the HTTPS server redirect via an HTTP status code 307 (Temporary Redirect) response that points to the symlink target, instead of simply being another name for the target. That way, it should be easy to find out programmatically what the current version is: just retrieve the "latest" URL and see what it redirects to. (2) can be done with something like the recipe mentioned here: https://stackoverflow.com/questions/16351271/apache-redirects-based-on-symli...