Hi, On 07/06/17 at 09:44am, NicoHood wrote:
On 07/06/2017 09:12 AM, Bartłomiej Piotrowski wrote:
On 2017-07-06 02:11, NicoHood wrote:
On 07/05/2017 12:10 AM, Christian Hesse wrote:
Dave Reisner <d@falconindy.com> on Sat, 2017/07/01 13:22:
Hey all,
This should be pretty much a no-brainer, but wanted to be sure I wasn't missing anything. Systemd upstream publishes a "systemd-stable" repo [1] which branches at each tag and cherry-picks backports. I'd like to switch our systemd package to this repo to avoid some of the duplication of work that Jan, Christian and myself have done in the past. The repo sees a bunch more activity than what our own backporting strategy has been, and I see that as a positive.
Just a little heads-up... systemd 233.75-1 landed in [testing]. So give it a try! ;)
BTW, we had just one backported commit to be removed, so 74 new commits landed in this package compared to 233-7. Let's hope this gives some benefit.
Systemd still does not use https sources. Regarding the recent discussion about tricking git about wrong tags and other evil stuff it is highly recommended to switch to https. Please do it in favor for all ArchLinux users security.
Once more the reference: https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presen...
Regarding the recent discussion:
https://lists.archlinux.org/pipermail/arch-dev-public/2017-July/028919.html
I really hoped I don't have to put "NicoHood" on top to make you realize it's addressed to you. Please do it in favor for all Arch Linux packagers.
What are you blaming me for now? This is a package everyone must install and you are telling me we have other serious problems? Sure we have, but compared to the time it takes to add an "s" to "http" this is a simple excuse. And this is not about checksums man, this is about https where even gpg signatures by git can be tricked.
I believe that a large group of Dev/Tu's do believe that security is a serious issue and that we should put some effort into security. And I can't thank everyone enough who has done a lot of work for example for the Security Tracker. A few people have worked hard, without much complaining and realy made a difference. For the whole signing issue we have a todolist for GPG signatures and never decided as far as I know on the sha256 or sha512 (or any poison) sums. Yet there is one individual in our community who keeps harassing (yes it's called harassment) Dev/Tu's to get GPG / HTTPS in PKGBUILD's. I would appreciate it if the discussion regarding GPG sigs etc, would be less dramatic. I'm kinda done with these requirements if I keep getting bugged that it's missing md5sums, https while I have a GPG sig. Calling out people, bugging them, isn't really the method to get things done. Note that this is my personal opinion, I surely do not speak for Arch as a whole.
And yes, I am doing stuff in the background. I wrote a guide and a tool that simplifies source code signing[1] and I am doing a detailed security analysis on all ArchLinux packages. And once it is ready I will request gpg signatures from every upstream source, especially packages from [core].
I appreciate the effort of contacting upstream about providing GPG signatures, that's really great! -- Jelle van der Waa