On Sun, 4 Mar 2012 14:56:43 +0100 Christian Hesse <list@eworm.de> wrote:
Ionut Biru <ibiru@archlinux.org> on Sun, 04 Mar 2012 12:57:53 +0200:
On 03/04/2012 12:22 PM, Christian Hesse wrote:
I think it makes sense to not allow pages related to package signing being delivered via http. Instead automatically redirect to https to avoid man in the middle attacks. First site that comes to my mind: https://www.archlinux.org/master-keys/
open a feature request and tag it with {archweb}
Done. Thanks! https://bugs.archlinux.org/task/28771
The strong point of the signing thingy is users' ability to verify keys using multiple independent sources, such as devs' personal websites, keyservers, etc. Relying on archlinux.org solely would be a mistake, imho. Do I really trust in integrity of archlinux.org infrastructure? Not really, but I don't have to. Having said that, just use https:// directly or install a browser plugin (e.g. https finder). -- Leonid Isaev GnuPG key ID: 164B5A6D Key fingerprint: C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D