[arch-general] SourceForge now supports TLS, update source URLs
Hi all, quick reminder that SourceForge was recently acquired and since then has enabled HTTPS on all of the site. Since some PKGBUILDs fetch their sources from SourceForge, it might be a good idea to switch them from using plain http:// to https://. While the certificate authority model is arguably broken when it comes to protecting against state-sponsored attacks, this will give some additional security to ensure that the sources packagers fetch and generate the hash sums from are actually the sources the project releases, and not a malicious man-in-the-middle response by some third party. Finding the affected packages should be as simple as running the following in the ABS root: for f in $(egrep -r -l 'http://.*\.sourceforge\.net' *); do \ echo $(dirname $f); done | uniq I'm counting 937 affected packages here. Cheers
On Mon, Feb 15, 2016 at 8:14 PM, Nicolas F. <archlist@fratti.ch> wrote:
Hi all,
quick reminder that SourceForge was recently acquired and since then has enabled HTTPS on all of the site. Since some PKGBUILDs fetch their sources from SourceForge, it might be a good idea to switch them from using plain http:// to https://.
While the certificate authority model is arguably broken when it comes to protecting against state-sponsored attacks, this will give some additional security to ensure that the sources packagers fetch and generate the hash sums from are actually the sources the project releases, and not a malicious man-in-the-middle response by some third party.
Finding the affected packages should be as simple as running the following in the ABS root:
for f in $(egrep -r -l 'http://.*\.sourceforge\.net' *); do \ echo $(dirname $f); done | uniq
I'm counting 937 affected packages here.
Cool, any reason why didn't submit a patch? Just curious, as you already went ahead and did the legwork.
On 16/02/16 11:55, Carsten Mattner wrote:
Cool, any reason why didn't submit a patch? Just curious, as you already went ahead and did the legwork.
Several reasons: - Would one submit a patch to each package's maintainer for that package? Perhaps the Arch project decides it's not worth the effort to change all the URLs in one go, resulting in a lot of unnecessary e-mail spam from my side. - If the changes were submitted as one huge patch, who would review and apply them? Furthermore, it's a trivial change that can be automated, making sure the patches are correct is at least as much effort as simply doing the changes themselves. - Simple and plain laziness. I'd rather have somebody more involved in the project figure out the details.
participants (2)
-
Carsten Mattner
-
Nicolas F.