[arch-general] secure package signing related websites
Leonid Isaev
lisaev at umail.iu.edu
Sun Mar 4 11:32:45 EST 2012
On Sun, 4 Mar 2012 14:56:43 +0100
Christian Hesse <list at eworm.de> wrote:
> Ionut Biru <ibiru at archlinux.org> on Sun, 04 Mar 2012 12:57:53 +0200:
> > On 03/04/2012 12:22 PM, Christian Hesse wrote:
> > > I think it makes sense to not allow pages related to package signing
> > > being delivered via http. Instead automatically redirect to https to
> > > avoid man in the middle attacks. First site that comes to my mind:
> > > https://www.archlinux.org/master-keys/
> >
> > open a feature request and tag it with {archweb}
>
> Done. Thanks!
> https://bugs.archlinux.org/task/28771
The strong point of the signing thingy is users' ability to verify keys
using multiple independent sources, such as devs' personal websites,
keyservers, etc. Relying on archlinux.org solely would be a mistake, imho. Do
I really trust in integrity of archlinux.org infrastructure? Not really, but I
don't have to.
Having said that, just use https:// directly or install a browser plugin (e.g.
https finder).
--
Leonid Isaev
GnuPG key ID: 164B5A6D
Key fingerprint: C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20120304/c29d8ca6/attachment.asc>
More information about the arch-general
mailing list