[arch-dev-public] todo list for moving http -> https sources

Thomas Bächler thomas at archlinux.org
Mon Oct 31 19:14:32 UTC 2016

Am 31.10.2016 um 15:05 schrieb Dave Reisner:
> Asking every upstream to provide a PGP signature isn't a process which
> will scale,

I am against enforcing https for projects which provide signatures. As
Sebastien pointed out, there are valid reasons against using https and
it adds no benefit when using signatures.

However, I agree that asking every single author to provide signatures
is likely infeasible.

> and some of them will likely not be interested in doing such
> a thing.

Having no interest in signing your work is surely a bad sign. Maybe we
should look into dropping such software where we can.

> If an upstream won't provide PGP signatures, do you have
> another suggestion as to how we can secure our process of obtaining
> upstream sources in a reliable manner?

You can't.

We could mirror the sources and sign them ourselves, but that would
require that we actually audit the sources somehow.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20161031/f6d9b5cb/attachment.asc>

More information about the arch-dev-public mailing list