[arch-dev-public] todo list for moving http -> https sources

Dave Reisner d at falconindy.com
Tue Nov 1 13:55:11 UTC 2016


On Mon, Oct 31, 2016 at 04:09:40PM -1000, Gaetan Bisson wrote:
> [2016-10-31 10:05:26 -0400] Dave Reisner:
> > On Sun, Oct 30, 2016 at 04:43:04PM -1000, Gaetan Bisson wrote:
> > > I agree with Sébastien. We should encourage upstream to digitally sign
> > > their releases, and verify their authenticity in our PKGBUILDs.
> > >
> > > Downloading releases over HTTPS gives a false sense of security:
> > > everybody knows the CA model is severely broken. In terms of security
> > > this simply does not compare with OpenPGP... In my view, switching our
> > > download links to HTTPS is nothing but an annoyance.
> > 
> > The CA model is broken. http clients have bugs. http servers have bugs.
> > pgp has bugs. sovereign states might be snooping on connections. None of
> > these are reasons to avoid an attempt at providing another layer of
> > security. That's all TLS is and I'm not suggesting it's some panacea.
> > 
> > Asking every upstream to provide a PGP signature isn't a process which
> > will scale, and some of them will likely not be interested in doing such
> > a thing. If an upstream won't provide PGP signatures, do you have
> > another suggestion as to how we can secure our process of obtaining
> > upstream sources in a reliable manner?
> 
> All the nuances in my message were apparently lost on you...
> 
> I said OpenPGP provides a much higher degree of security than HTTPS, so
> that's what we should strive to use. Obviously, for cases where digital
> signatures aren't available, downloading sources over HTTPS is better
> than nothing. What I argued, however, is that it's not much better than
> nothing, so we shouldn't become complacent and trust sources just
> because they came over TLS.
> 
> Cheers.
> 
> -- 
> Gaetan

I'll take this to mean that you don't have any objections about
adding additional layers of security.

d


More information about the arch-dev-public mailing list