[arch-dev-public] todo list for moving http -> https sources

Dave Reisner d at falconindy.com
Mon Oct 31 19:33:42 UTC 2016


On Mon, Oct 31, 2016 at 08:14:32PM +0100, Thomas Bächler wrote:
> Am 31.10.2016 um 15:05 schrieb Dave Reisner:
> > Asking every upstream to provide a PGP signature isn't a process which
> > will scale,
> 
> I am against enforcing https for projects which provide signatures. As
> Sebastien pointed out, there are valid reasons against using https and
> it adds no benefit when using signatures.

IMO, Sebastien didn't really provide any compelling evidence that
switching to https would be an incumberance -- rather, a minor
inconvenience at worst.

Do you have other reasons to add? I'd be very interested to know why
this is a problem. We already have a large number of sources fetched
over https including several which include gpg signatures. Do you want
to revert those to http? Why or why not?

> However, I agree that asking every single author to provide signatures
> is likely infeasible.
> 
> > and some of them will likely not be interested in doing such
> > a thing.
> 
> Having no interest in signing your work is surely a bad sign. Maybe we
> should look into dropping such software where we can.

I don't really think you believe this...

> > If an upstream won't provide PGP signatures, do you have
> > another suggestion as to how we can secure our process of obtaining
> > upstream sources in a reliable manner?
> 
> You can't.
> 
> We could mirror the sources and sign them ourselves, but that would
> require that we actually audit the sources somehow.
> 

This, too, does not scale, and might even constitute a breach of the
software's license.


More information about the arch-dev-public mailing list