On Mon, Feb 15, 2016 at 8:14 PM, Nicolas F. <archlist@fratti.ch> wrote:
Hi all,
quick reminder that SourceForge was recently acquired and since then has enabled HTTPS on all of the site. Since some PKGBUILDs fetch their sources from SourceForge, it might be a good idea to switch them from using plain http:// to https://.
While the certificate authority model is arguably broken when it comes to protecting against state-sponsored attacks, this will give some additional security to ensure that the sources packagers fetch and generate the hash sums from are actually the sources the project releases, and not a malicious man-in-the-middle response by some third party.
Finding the affected packages should be as simple as running the following in the ABS root:
for f in $(egrep -r -l 'http://.*\.sourceforge\.net' *); do \ echo $(dirname $f); done | uniq
I'm counting 937 affected packages here.
Cool, any reason why didn't submit a patch? Just curious, as you already went ahead and did the legwork.