[arch-dev-public] arch-dev-public Digest, Vol 117, Issue 2

[Nico]

On 11/02/2016 09:07 AM, arch-dev-public-request at archlinux.org wrote:
> I understand security is not binary.
> 
> TLS is about security of the transportation of sources, not the security of
> sources themselves, that's why I asked, to know what you had in mind.
> 
> My definition of securing the sources, is a way to trust the sources at the
> build time, no matter the way they were fetched.?I want to be sure that my
> sources are "correct" even if I get them by usb key, ftp, rsync or even if they
> were not corrupted locally by a btrfs bug.
> And when possible, I want to be sure that the server (mirror or not) was not
> compromised (even at the first fetch).
> 
> Keeping that in mind, enforcing tls, doesn't improve much the source security.
> In fact, it improves only security during the transportation of the sources at
> the cost of the caching.
> So, even though I a partisan of tls everywhere, I still balanced by the
> caching.
> 
> 
> Cheers,
> 
> -- S?bastien "Seblu" Luttringer

I agree with you that we need to secure against tampered sources.
However this requires stronger hash functions. We are not only talking
about corruption, but about integrity. We had a discussion about that
wiki entry in the chat, which I also wanted to discuss. If you ask me it
is highly important to use a strong hash algorithm to verify the source
integrity (assumung you trust the PKGBUILD itself).

The fact that PGP gives additional authentication is out of question
here, however its even better, I agree as authentity also gives integrity.

But in the end you trust the PKGBUILDs PGP key or hash, so to me both
are important, but we need to always use the best we can, even if we
don't have a PGP signature. So I'd say we should also focus on the
hashes to be sha512. 512 just to look forward to the future as we all
know in a few years 256 won't be enoguh possibly (hopefully not).

Back to https I think its still important to ensure the confidentiality,
so that nobody in the middle can read the traffic you download. You
could argue that this is nothing to hide as its public available, but
I'd personally do that whereever I can for several general reasons why
you use encryption.

To summarize I'd change all hashes to sha512sums, http to https where
possible and add PGP where possible. This gives us better
Confidentiality, Integrity and Authenticity with no real negative effects.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20161102/9382b73e/attachment.asc>