[arch-dev-public] todo list for moving http -> https sources
bisson at archlinux.org
Tue Nov 1 20:13:11 UTC 2016
[2016-11-01 09:55:11 -0400] Dave Reisner:
> On Mon, Oct 31, 2016 at 04:09:40PM -1000, Gaetan Bisson wrote:
> > [2016-10-31 10:05:26 -0400] Dave Reisner:
> > > On Sun, Oct 30, 2016 at 04:43:04PM -1000, Gaetan Bisson wrote:
> > > > I agree with Sébastien. We should encourage upstream to digitally sign
> > > > their releases, and verify their authenticity in our PKGBUILDs.
> > > >
> > > > Downloading releases over HTTPS gives a false sense of security:
> > > > everybody knows the CA model is severely broken. In terms of security
> > > > this simply does not compare with OpenPGP... In my view, switching our
> > > > download links to HTTPS is nothing but an annoyance.
> > >
> > > The CA model is broken. http clients have bugs. http servers have bugs.
> > > pgp has bugs. sovereign states might be snooping on connections. None of
> > > these are reasons to avoid an attempt at providing another layer of
> > > security. That's all TLS is and I'm not suggesting it's some panacea.
> > >
> > > Asking every upstream to provide a PGP signature isn't a process which
> > > will scale, and some of them will likely not be interested in doing such
> > > a thing. If an upstream won't provide PGP signatures, do you have
> > > another suggestion as to how we can secure our process of obtaining
> > > upstream sources in a reliable manner?
> > All the nuances in my message were apparently lost on you...
> > I said OpenPGP provides a much higher degree of security than HTTPS, so
> > that's what we should strive to use. Obviously, for cases where digital
> > signatures aren't available, downloading sources over HTTPS is better
> > than nothing. What I argued, however, is that it's not much better than
> > nothing, so we shouldn't become complacent and trust sources just
> > because they came over TLS.
> I'll take this to mean that you don't have any objections about
> adding additional layers of security.
My point is they're not "additional layers of security", just
"additional layers". But whatever, if you feel that strongly about this,
go right ahead.
More information about the arch-dev-public