[2016-10-31 10:05:26 -0400] Dave Reisner:
On Sun, Oct 30, 2016 at 04:43:04PM -1000, Gaetan Bisson wrote:
I agree with Sébastien. We should encourage upstream to digitally sign their releases, and verify their authenticity in our PKGBUILDs.
Downloading releases over HTTPS gives a false sense of security: everybody knows the CA model is severely broken. In terms of security this simply does not compare with OpenPGP... In my view, switching our download links to HTTPS is nothing but an annoyance.
The CA model is broken. http clients have bugs. http servers have bugs. pgp has bugs. sovereign states might be snooping on connections. None of these are reasons to avoid an attempt at providing another layer of security. That's all TLS is and I'm not suggesting it's some panacea.
Asking every upstream to provide a PGP signature isn't a process which will scale, and some of them will likely not be interested in doing such a thing. If an upstream won't provide PGP signatures, do you have another suggestion as to how we can secure our process of obtaining upstream sources in a reliable manner?
All the nuances in my message were apparently lost on you... I said OpenPGP provides a much higher degree of security than HTTPS, so that's what we should strive to use. Obviously, for cases where digital signatures aren't available, downloading sources over HTTPS is better than nothing. What I argued, however, is that it's not much better than nothing, so we shouldn't become complacent and trust sources just because they came over TLS. Cheers. -- Gaetan