GitLab

I've been talking with a lot of Free Software projects about how they don't want to serve stuff up over HTTPS - especially bulk data. I've heard a lot of user blaming, balking at even trying to be secure, the point of gpg signatures, etc.

I think that there is a middle ground and it is probably worthwhile to explore. We could also use it as a test - it seems like an easy test too.

Basically, I propose that over HTTPS, we have a page that links to all of our downloads, with GPG signatures and the file they wish to download as BitTorrent Magnet links.

Here's one I created that has no seeders and no need for them, I might add:

magnet:?xt=urn:btih:696513360665ad8bc398126cba2e688d882ed5cd&dn=TorBrowser&as=https%3A%2F%2Fwww.torproject.org%2Fdist%2Ftorbrowser%2Flinux%2Ftor-browser-gnu-linux-x86%5F64-2.3.22-alpha-1-dev-en-US.tar.gz&as=http%3A%2F%2Fj6im4v42ur6dpic3.onion%2Ftor-package-archive%2Ftorbrowser%2Ftor-obfsproxy-browser-2.3.22-alpha-1%5Fen-US.exe&as=https%3A%2F%2Farchive.torproject.org%2Ftor-package-archive%2Ftorbrowser%2Flinux%2Ftor-browser-gnu-linux-x86%5F64-2.3.22-alpha-1-dev-en-US.tar.gz

The nice thing about that Magnet URN is that it includes (three) urls as backups - so anyone who clicks on it will fetch it over a .onion via HTTP or via two different HTTPS urls. I think that means that merely by offering the files our first users will get a normal download via HTTPO or HTTPS. They then become the seeders - no seeding box needed!

I think it should be rather straight forward to automate the creation of urls for our use too.

The main question for me is how well the 'as=' ( see https://en.wikipedia.org/wiki/Magnet_URI#Normal_.28as.29 ) field actually works. Do BitTorrent clients actually download it over HTTPS properly?