Please provide working HTTPS downloads, and ideally also app signing.
Downloads from paraview.org are currently possible via HTTP only. Yes, there are md5sums but I cannot trust those because they're also only available via HTTP. A MITM attack could mess with both. Connecting via HTTPS is not possible because of a hostname mismatch, as shown here (paraview.org uses the same certificate as kitware.com, which covers just *.kitware.com
)
% sslyze --certinfo paraview.org
[..]
CHECKING HOST(S) AVAILABILITY
-----------------------------
paraview.org:443 => 66.194.253.19
SCAN RESULTS FOR PARAVIEW.ORG:443 - 66.194.253.19
-------------------------------------------------
* Certificate Basic Information:
SHA1 Fingerprint: 8c8c9b50b4c1b6ec60e43a64f5cb33a1f91f09cd
Common Name: *.kitware.com
Issuer: DigiCert SHA2 Secure Server CA
Serial Number: 6567443584259596396557874247787356987
Not Before: 2014-09-10 00:00:00
Not After: 2017-11-13 12:00:00
Signature Algorithm: sha256
Public Key Algorithm: _RSAPublicKey
Key Size: 2048
Exponent: 65537 (0x10001)
DNS Subject Alternative Names: [u'*.kitware.com', u'kitware.com']
* Certificate - Trust:
Hostname Validation: FAILED - Certificate does NOT match paraview.org
AOSP CA Store (7.0.0 r1): OK - Certificate is trusted
Apple CA Store (OS X 10.11.6): OK - Certificate is trusted
Java 7 CA Store (Update 79): OK - Certificate is trusted
Microsoft CA Store (09/2016): OK - Certificate is trusted
Mozilla CA Store (09/2016): OK - Certificate is trusted
Received Chain: *.kitware.com --> DigiCert SHA2 Secure Server CA
Verified Chain: *.kitware.com --> DigiCert SHA2 Secure Server CA --> DigiCert Global Root CA
Received Chain Contains Anchor: OK - Anchor certificate not sent
Received Chain Order: OK - Order is valid
Verified Chain contains SHA1: OK - No SHA1-signed certificate in the verified certificate chain
* Certificate - OCSP Stapling:
NOT SUPPORTED - Server did not send back an OCSP response.
[..]
%
This applies to anything you do on paraview.org and anything you download from it, not just to snapshots or release candidates but also to final releases!
For me, as a mac user, there's theoretically the extra security provided by app signing. But ParaView is never signed. Not even the latest release, ParaView-5.3.0, was. When I download it, I'm actually told it "[..] can't be opened because it is from an unidentified developer. [..]". I need to explicitly disable this security feature to be able to run ParaView.
So downloading and running ParaView for the first time feels a bit like juggling with hand grenades. Especially in times of news like these: https://news.ycombinator.com/item?id=14281808. It would be very nice if this changed.