[arch-general] SourceForge now supports TLS, update source URLs

Carsten Mattner carstenmattner at gmail.com
Tue Feb 16 10:55:28 UTC 2016

On Mon, Feb 15, 2016 at 8:14 PM, Nicolas F. <archlist at fratti.ch> wrote:
> Hi all,
> quick reminder that SourceForge was recently acquired and since then
> has enabled HTTPS on all of the site. Since some PKGBUILDs fetch their
> sources from SourceForge, it might be a good idea to switch them from
> using plain http:// to https://.
> While the certificate authority model is arguably broken when it comes
> to protecting against state-sponsored attacks, this will give some
> additional security to ensure that the sources packagers fetch and
> generate the hash sums from are actually the sources the project
> releases, and not a malicious man-in-the-middle response by some third
> party.
> Finding the affected packages should be as simple as running the
> following in the ABS root:
>     for f in $(egrep -r -l 'http://.*\.sourceforge\.net' *); do \
>     echo $(dirname $f); done | uniq
> I'm counting 937 affected packages here.

Cool, any reason why didn't submit a patch? Just curious,
as you already went ahead and did the legwork.

More information about the arch-general mailing list