[arch-general] SourceForge now supports TLS, update source URLs
archlist at fratti.ch
Mon Feb 15 19:14:24 UTC 2016
quick reminder that SourceForge was recently acquired and since then
has enabled HTTPS on all of the site. Since some PKGBUILDs fetch their
sources from SourceForge, it might be a good idea to switch them from
using plain http:// to https://.
While the certificate authority model is arguably broken when it comes
to protecting against state-sponsored attacks, this will give some
additional security to ensure that the sources packagers fetch and
generate the hash sums from are actually the sources the project
releases, and not a malicious man-in-the-middle response by some third
Finding the affected packages should be as simple as running the
following in the ABS root:
for f in $(egrep -r -l 'http://.*\.sourceforge\.net' *); do \
echo $(dirname $f); done | uniq
I'm counting 937 affected packages here.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the arch-general