Re: [arch-dev-public] todo list for moving http -> https sources
I'd also vote for https. It does not hurt to use a secure channel to download the sources from. It would be great if we as ArchLinux team could make the first step into that direction. However if you write such a script, it should also check if an https download is available, as not all websites provide https downloads yet (sadly). Using PGP signatures is another discussion, also the hash algorithm. I think we should discuss that in another post, appart from https. From my point of view its highly important to use a strong hash function as its highly important for the source integrity and not only meant as checksum for corruption detection. And as always: more secure does not hurt nowadays Cheers, Nico
[2016-10-31 15:19:40 +0100] NicoHood:
I'd also vote for https. It does not hurt to use a secure channel to download the sources from. It would be great if we as ArchLinux team could make the first step into that direction.
Using PGP signatures is another discussion, also the hash algorithm. I think we should discuss that in another post, appart from https. From my point of view its highly important to use a strong hash function as its highly important for the source integrity and not only meant as checksum for corruption detection.
You know HTTPS uses hash functions too, right? And you know they are in many cases much weaker than those GnuPG uses by default, right? -- Gaetan
On 2016-10-31 14:19, NicoHood wrote:
I'd also vote for https. It does not hurt to use a secure channel to download the sources from. It would be great if we as ArchLinux team could make the first step into that direction.
However if you write such a script, it should also check if an https download is available, as not all websites provide https downloads yet (sadly).
Using PGP signatures is another discussion, also the hash algorithm. I think we should discuss that in another post, appart from https. From my point of view its highly important to use a strong hash function as its highly important for the source integrity and not only meant as checksum for corruption detection. And as always: more secure does not hurt nowadays
Cheers, Nico
Your message appears outside the thread. Please make sure your mail client is configured correctly as it doesn't help in not exploding the discussion. Bartłomiej
participants (3)
-
Bartłomiej Piotrowski
-
Gaetan Bisson
-
NicoHood