[arch-dev-public] todo list for moving http -> https sources

Gaetan Bisson bisson at archlinux.org
Mon Oct 31 02:43:04 UTC 2016

[2016-10-31 03:23:48 +0100] Sébastien Luttringer:
> On Sun, 2016-10-30 at 20:55 -0400, Dave Reisner wrote:
> > There's been a sizeable number of bugs filed over the past month or so
> > about changin PKGBUILDs to acquire sources from https rather than http.
> > Rather than continue to flood the bug tracker, would anyone mind if I
> > wrote a script to find instances of this and start a TODO list?  This
> > would, of course, be low priority. Even if no one does anything, we at
> > least have a statement of work and can avoid having these "bugs"
> > littered around flyspray.
> > 
> > Unless there's strong opposition to this (and I'd be very interested to
> > know why), I'll polish up my automation and create the list.
> The few BR that reached me also requested the addition of a .sig.
> As I use a transparent http cache at home (2Mb/s bandwidth), so far I only
> added the signature, and not the https as it breaks the cache.
> Except the confidentiality of the request, what's the point to force https?

I agree with Sébastien. We should encourage upstream to digitally sign
their releases, and verify their authenticity in our PKGBUILDs.

Downloading releases over HTTPS gives a false sense of security:
everybody knows the CA model is severely broken. In terms of security
this simply does not compare with OpenPGP... In my view, switching our
download links to HTTPS is nothing but an annoyance.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20161030/70b5db9f/attachment.asc>

More information about the arch-dev-public mailing list