On Mon, Oct 31, 2016 at 4:16 PM, Levente Polyak <anthraxx@archlinux.org> wrote:
On 10/31/2016 04:03 PM, Patrick Burroughs (Celti) wrote:
As a middle ground, I think it would be more reasonable (or at least, less unreasonable) to modify makepkg to allow signing PKGBUILDs, or at least parts of them. For an existing example, OpenBSD's signify(1) uses their cryptographic signature system to sign a simple list sha256sums.
Perhaps makepkg could include, e.g., a sha256sumsigs array, that contains a PGP signature (signed by the developer/TU's official key) of the contents (properly serialised by makepkg so there's a minimum of possible ambiguity) of the sha256sums array?
That is literally a _completely_ different topic that addresses _completely_ different areas. You are speaking about authenticating the build scripts itself. That does not solve _anything_ at all what this thread/topic/todo-list is about.
Don't get me wrong: I don't judge about it at all, I'm just saying that both are fully independent from each other and you should please open a new thread if you want to discuss this rather then hijack this thread :)
cheers, Levente
Yes, these are two totally different subjects: "Encourage the use of PGP signatures in our `source`" and "Using HTTPS on our `source`". Let's stick to the original subject :) I am all in favor of a script to turn `http` into `https` when available. Yeah HTTPS "brings a false sense of security" but still it hardens a link in the build process. Sorry for your caches guys, I might miss some background here but I couldn't imagine any reason to go against adding some more security in our build process.