[arch-general] SourceForge now supports TLS, update source URLs

Nicolas F. archlist at fratti.ch
Mon Feb 15 19:14:24 UTC 2016

Hi all,

quick reminder that SourceForge was recently acquired and since then
has enabled HTTPS on all of the site. Since some PKGBUILDs fetch their
sources from SourceForge, it might be a good idea to switch them from
using plain http:// to https://.

While the certificate authority model is arguably broken when it comes
to protecting against state-sponsored attacks, this will give some
additional security to ensure that the sources packagers fetch and
generate the hash sums from are actually the sources the project
releases, and not a malicious man-in-the-middle response by some third

Finding the affected packages should be as simple as running the
following in the ABS root:

    for f in $(egrep -r -l 'http://.*\.sourceforge\.net' *); do \
    echo $(dirname $f); done | uniq

I'm counting 937 affected packages here.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20160215/8243f99f/attachment.asc>

More information about the arch-general mailing list