[arch-general] [arch-dev-public] todo list for moving http -> https sources

[Guillaume ALAUX]

On Mon, Oct 31, 2016 at 4:16 PM, Levente Polyak <anthraxx at archlinux.org> wrote:
>
> On 10/31/2016 04:03 PM, Patrick Burroughs (Celti) wrote:
> > As a middle ground, I think it would be more reasonable (or at least,
> > less unreasonable) to modify makepkg to allow signing PKGBUILDs, or at
> > least parts of them. For an existing example, OpenBSD's signify(1) uses
> > their cryptographic signature system to sign a simple list sha256sums.
> >
> > Perhaps makepkg could include, e.g., a sha256sumsigs array, that
> > contains a PGP signature (signed by the developer/TU's official key)
> > of the contents (properly serialised by makepkg so there's a minimum
> > of possible ambiguity) of the sha256sums array?
> >
>
> That is literally a _completely_ different topic that addresses
> _completely_ different areas.
> You are speaking about authenticating the build scripts itself. That
> does not solve _anything_ at all what this thread/topic/todo-list is about.
>
> Don't get me wrong: I don't judge about it at all, I'm just saying that
> both are fully independent from each other and you should please open a
> new thread if you want to discuss this rather then hijack this thread :)
>
> cheers,
> Levente
>

Yes, these are two totally different subjects: "Encourage the use of
PGP signatures in our `source`" and "Using HTTPS on our `source`".
Let's stick to the original subject :)

I am all in favor of a script to turn `http` into `https` when
available. Yeah HTTPS "brings a false sense of security" but still it
hardens a link in the build process. Sorry for your caches guys, I
might miss some background here but I couldn't imagine any reason to
go against adding some more security in our build process.