[arch-general] [arch-dev-public] todo list for moving http -> https sources

[Diego Viola]

On Mon, Oct 31, 2016 at 2:18 PM, Guillaume ALAUX
<guillaume at archlinux.org> wrote:
> On Mon, Oct 31, 2016 at 4:16 PM, Levente Polyak <anthraxx at archlinux.org> wrote:
>>
>> On 10/31/2016 04:03 PM, Patrick Burroughs (Celti) wrote:
>> > As a middle ground, I think it would be more reasonable (or at least,
>> > less unreasonable) to modify makepkg to allow signing PKGBUILDs, or at
>> > least parts of them. For an existing example, OpenBSD's signify(1) uses
>> > their cryptographic signature system to sign a simple list sha256sums.
>> >
>> > Perhaps makepkg could include, e.g., a sha256sumsigs array, that
>> > contains a PGP signature (signed by the developer/TU's official key)
>> > of the contents (properly serialised by makepkg so there's a minimum
>> > of possible ambiguity) of the sha256sums array?
>> >
>>
>> That is literally a _completely_ different topic that addresses
>> _completely_ different areas.
>> You are speaking about authenticating the build scripts itself. That
>> does not solve _anything_ at all what this thread/topic/todo-list is about.
>>
>> Don't get me wrong: I don't judge about it at all, I'm just saying that
>> both are fully independent from each other and you should please open a
>> new thread if you want to discuss this rather then hijack this thread :)
>>
>> cheers,
>> Levente
>>
>
> Yes, these are two totally different subjects: "Encourage the use of
> PGP signatures in our `source`" and "Using HTTPS on our `source`".
> Let's stick to the original subject :)
>
> I am all in favor of a script to turn `http` into `https` when
> available. Yeah HTTPS "brings a false sense of security" but still it
> hardens a link in the build process. Sorry for your caches guys, I
> might miss some background here but I couldn't imagine any reason to
> go against adding some more security in our build process.

Thanks fnodeuser.