On Mon, Oct 31, 2016 at 03:33:42PM -0400, Dave Reisner wrote:
On Mon, Oct 31, 2016 at 08:14:32PM +0100, Thomas Bächler wrote:
Am 31.10.2016 um 15:05 schrieb Dave Reisner:
Asking every upstream to provide a PGP signature isn't a process which will scale,
I am against enforcing https for projects which provide signatures. As Sebastien pointed out, there are valid reasons against using https and it adds no benefit when using signatures.
IMO, Sebastien didn't really provide any compelling evidence that switching to https would be an incumberance -- rather, a minor inconvenience at worst.
Do you have other reasons to add? I'd be very interested to know why this is a problem. We already have a large number of sources fetched over https including several which include gpg signatures. Do you want to revert those to http? Why or why not?
To put some ballpark numbers to this with some simple grep'ing over the PKGBUILD tree and my initial scripting work... - We have 4539 sources fetched over https - 193 of those 4539 sources also include a pgp signature - 2169 more sources could be fetched over https instead of http - 597 of those 2169 sources could include a https-fetched pgp signature
However, I agree that asking every single author to provide signatures is likely infeasible.
and some of them will likely not be interested in doing such a thing.
Having no interest in signing your work is surely a bad sign. Maybe we should look into dropping such software where we can.
I don't really think you believe this...
If an upstream won't provide PGP signatures, do you have another suggestion as to how we can secure our process of obtaining upstream sources in a reliable manner?
You can't.
We could mirror the sources and sign them ourselves, but that would require that we actually audit the sources somehow.
This, too, does not scale, and might even constitute a breach of the software's license.