Pitivi Flatpak Ref should be served over HTTPS
@ernstki
Submitted by Kevin Ernst Assigned to Thibault Saunier @thiblahute
Description
Currently, the "Install with Flatpak" instructions direct you to install using Flatpak using a non-SSL URL.
I tried the https://
variant and received an error.
If the GPG key in the .flatpakref
can be modified in transit by a malicious third-party, it defeats the purpose of code signing in the first place. If the Flatpak Ref were served over HTTPS from pitivi.org, with its SSL certificate signed by a "trusted" CA, then there would exist a somewhat reliable (as best we can do in 2017) chain of trust for the Flatpak the user is about to install—possibly as root—on their system.
I'm not an expert in any of this stuff (least of all Flatpak), I just hope I'm at least able to act like the stern voice of reason here about the absolute need for HTTPS.