[arch-dev-public] todo list for moving http -> https sources

Dave Reisner d at falconindy.com
Mon Oct 31 02:47:38 UTC 2016


On Mon, Oct 31, 2016 at 03:23:48AM +0100, Sébastien Luttringer wrote:
> On Sun, 2016-10-30 at 20:55 -0400, Dave Reisner wrote:
> > Hi all,
> > 
> > There's been a sizeable number of bugs filed over the past month or so
> > about changin PKGBUILDs to acquire sources from https rather than http.
> > Rather than continue to flood the bug tracker, would anyone mind if I
> > wrote a script to find instances of this and start a TODO list?  This
> > would, of course, be low priority. Even if no one does anything, we at
> > least have a statement of work and can avoid having these "bugs"
> > littered around flyspray.
> > 
> > Unless there's strong opposition to this (and I'd be very interested to
> > know why), I'll polish up my automation and create the list.
> > 
> > d
> 
> Hello,
> 
> The few BR that reached me also requested the addition of a .sig.

Yes, this was raised on IRC as well. I'm going to do this in a separate
pass.

> As I use a transparent http cache at home (2Mb/s bandwidth), so far I only
> added the signature, and not the https as it breaks the cache.

This doesn't seem to hold much weight. You're duplicating the source
tarball now, as it exists (on disk?) in your http cache and in makepkg's
SRCDEST. I'm not sure I see the benefit to doing this, particularly
since the caching in SRCDEST is entirely agnostic to the protocol used
to fetch it.

> Except the confidentiality of the request, what's the point to force https?

Security of sources, particularly those which we obtain without any
upstream verification mechanism such as a checksum or PGP signature.
Even for those with signatures or checksums, you must consider that
security is not a binary thing, and is always approached in layers.

d


More information about the arch-dev-public mailing list