[arch-dev-public] todo list for moving http -> https sources
Thomas Bächler
thomas at archlinux.org
Mon Oct 31 19:14:32 UTC 2016
Am 31.10.2016 um 15:05 schrieb Dave Reisner:
> Asking every upstream to provide a PGP signature isn't a process which
> will scale,
I am against enforcing https for projects which provide signatures. As
Sebastien pointed out, there are valid reasons against using https and
it adds no benefit when using signatures.
However, I agree that asking every single author to provide signatures
is likely infeasible.
> and some of them will likely not be interested in doing such
> a thing.
Having no interest in signing your work is surely a bad sign. Maybe we
should look into dropping such software where we can.
> If an upstream won't provide PGP signatures, do you have
> another suggestion as to how we can secure our process of obtaining
> upstream sources in a reliable manner?
You can't.
We could mirror the sources and sign them ourselves, but that would
require that we actually audit the sources somehow.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20161031/f6d9b5cb/attachment.asc>
More information about the arch-dev-public
mailing list