On Mon, 2016-10-31 at 17:03 -0400, Dave Reisner wrote:
On Mon, Oct 31, 2016 at 04:36:23PM -0400, Travis Burtrum wrote:
From abb057844eec0e5707c31b643d0f2187b4cf0eb6 Mon Sep 17 00:00:00 2001 From: Travis Burtrum <travis.archlinux@burtrum.org> Date: Mon, 31 Oct 2016 02:12:31 -0400 Subject: [PATCH] Add per-repo PinnedPubKey option
This sets curl's CURLOPT_PINNEDPUBLICKEY option in the built-in downloader, or replaces %p in XferCommand. This pins public keys to ensure your TLS connection is not man-in-the-middled without relying on CAs etc. Probably most useful currently for very small groups or single servers.
It would obviously be best as a per-mirror option, but such a thing currently does not exist.
But perhaps as part of a larger scope, it could... As mentioned on IRC, I'm not a huge fan of this.
Perhaps Pacman should just learn to respect HPKP? It's actually supported by wget now, take a look at ~/.wget-hsts. Pacman could have a similar file in the sync database directory. Then it just kicks in after the first connection and as long as Pacman keeps accessing that mirror it will keep updating the date. It could work quite well since we don't support not upgrading for long periods of time.