On 11/02/2016 09:07 AM, arch-dev-public-request@archlinux.org wrote:

I understand security is not binary.

TLS is about security of the transportation of sources, not the security of sources themselves, that's why I asked, to know what you had in mind.

My definition of securing the sources, is a way to trust the sources at the build time, no matter the way they were fetched.?I want to be sure that my sources are "correct" even if I get them by usb key, ftp, rsync or even if they were not corrupted locally by a btrfs bug. And when possible, I want to be sure that the server (mirror or not) was not compromised (even at the first fetch).

Keeping that in mind, enforcing tls, doesn't improve much the source security. In fact, it improves only security during the transportation of the sources at the cost of the caching. So, even though I a partisan of tls everywhere, I still balanced by the caching.

Cheers,

-- S?bastien "Seblu" Luttringer

I agree with you that we need to secure against tampered sources. However this requires stronger hash functions. We are not only talking about corruption, but about integrity. We had a discussion about that wiki entry in the chat, which I also wanted to discuss. If you ask me it is highly important to use a strong hash algorithm to verify the source integrity (assumung you trust the PKGBUILD itself). The fact that PGP gives additional authentication is out of question here, however its even better, I agree as authentity also gives integrity. But in the end you trust the PKGBUILDs PGP key or hash, so to me both are important, but we need to always use the best we can, even if we don't have a PGP signature. So I'd say we should also focus on the hashes to be sha512. 512 just to look forward to the future as we all know in a few years 256 won't be enoguh possibly (hopefully not). Back to https I think its still important to ensure the confidentiality, so that nobody in the middle can read the traffic you download. You could argue that this is nothing to hide as its public available, but I'd personally do that whereever I can for several general reasons why you use encryption. To summarize I'd change all hashes to sha512sums, http to https where possible and add PGP where possible. This gives us better Confidentiality, Integrity and Authenticity with no real negative effects.