[arch-dev-public] todo list for moving http -> https sources

Dave Reisner d at falconindy.com
Mon Oct 31 14:05:26 UTC 2016

On Sun, Oct 30, 2016 at 04:43:04PM -1000, Gaetan Bisson wrote:
> [2016-10-31 03:23:48 +0100] Sébastien Luttringer:
> > On Sun, 2016-10-30 at 20:55 -0400, Dave Reisner wrote:
> > > There's been a sizeable number of bugs filed over the past month or so
> > > about changin PKGBUILDs to acquire sources from https rather than http.
> > > Rather than continue to flood the bug tracker, would anyone mind if I
> > > wrote a script to find instances of this and start a TODO list?  This
> > > would, of course, be low priority. Even if no one does anything, we at
> > > least have a statement of work and can avoid having these "bugs"
> > > littered around flyspray.
> > > 
> > > Unless there's strong opposition to this (and I'd be very interested to
> > > know why), I'll polish up my automation and create the list.
> > 
> > The few BR that reached me also requested the addition of a .sig.
> > As I use a transparent http cache at home (2Mb/s bandwidth), so far I only
> > added the signature, and not the https as it breaks the cache.
> > 
> > Except the confidentiality of the request, what's the point to force https?
> I agree with Sébastien. We should encourage upstream to digitally sign
> their releases, and verify their authenticity in our PKGBUILDs.
> Downloading releases over HTTPS gives a false sense of security:
> everybody knows the CA model is severely broken. In terms of security
> this simply does not compare with OpenPGP... In my view, switching our
> download links to HTTPS is nothing but an annoyance.

The CA model is broken. http clients have bugs. http servers have bugs.
pgp has bugs. sovereign states might be snooping on connections. None of
these are reasons to avoid an attempt at providing another layer of
security. That's all TLS is and I'm not suggesting it's some panacea.

Asking every upstream to provide a PGP signature isn't a process which
will scale, and some of them will likely not be interested in doing such
a thing. If an upstream won't provide PGP signatures, do you have
another suggestion as to how we can secure our process of obtaining
upstream sources in a reliable manner?


More information about the arch-dev-public mailing list