Hi Nicohood, On Thu, Dec 01, 2016 at 04:23:27PM +0100, NicoHood wrote:
you do not need to move the packages as fast as possible into community. I became TU month ago and arduino is still not in community because some issues needed to be solved first. So quality and security is more important here.
Agreed.
About all this https discussion: I think we should all confirm with the gpg and https standards we made recently (and the string hashes that i suggested) and we should also try to increase the quality of AUR in general and especially as TU to advise other people to do so too. Packaging a secure chat program and being so lazy about https makes me wonder.
I think it'd be good for you to rethink the https (and gpg, hash) topic, because (especially) as secure chat messenger packager it'd be extremely important to me that you try to achieve the best security as possible.
You almost sound like I'm opposing all forms of "security" (whatever you mean by that). Of course we should promote the use of TLS and HTTPS on the Internet, even though the trust model is flawed and implementations are bloated/bugged. My point is that in the context of packaging, we have different requirements than for web browsing. HTTPS does not provide authenticity and integrity of the sources themselves, which is what we are interested in. PGP (preferably) and strong hash algorithms (as a substitute) should be used for that. To avoid repeating the same arguments, I agree with what seblu said on arch-dev-public: On Tue, Nov 01, 2016 at 04:03:04PM +0100, Sébastien Luttringer wrote:
TLS is about security of the transportation of sources, not the security of sources themselves, that's why I asked, to know what you had in mind.
My definition of securing the sources, is a way to trust the sources at the build time, no matter the way they were fetched. I want to be sure that my sources are "correct" even if I get them by usb key, ftp, rsync or even if they were not corrupted locally by a btrfs bug. And when possible, I want to be sure that the server (mirror or not) was not compromised (even at the first fetch).
Keeping that in mind, enforcing tls, doesn't improve much the source security. In fact, it improves only security during the transportation of the sources at the cost of the caching.
Besides this issue, I already mentioned another drawback of using HTTPS: untrusted certificates (either expired, self-signed, or just signed by an untrusted CA) will cause build failure. This was a real issue for OpenWRT, so they switched to using --no-check-certificate in 2010 [1] to avoid build failures. Sources are already validated with a checksum. Anyway, some of my packages do not use HTTPS, and this is indeed mostly because of laziness. I consider this is a low priority task. It does not mean that I am fundamentally opposed to the use of HTTPS, especially for "big" providers like github which are not very likely to have expired certs. I had a look at the sources for my AUR packages, and here is the result: - 5 fetched over HTTPS - 7 fetched over git+https:// - 5 fetched over HTTP, with no HTTPS available - 1 fetched over FTP, with no HTTPS available - 5 fetched over HTTP while HTTPS is available (including 1 with a PGP signature) - 6 fetched over git:// while git+https:// is available So, less than half of them needed to be "fixed". I just switched to HTTPS for 10 out of the 11 fixable packages. The only remaining one is linux-mptcp, because I plan to move it away from git soon anyway. Baptiste [1] https://git.lede-project.org/?p=openwrt/source.git;a=blobdiff;f=scripts/down...