[arch-dev-public] todo list for moving http -> https sources
Gaetan Bisson
bisson at archlinux.org
Tue Nov 1 02:09:40 UTC 2016
[2016-10-31 10:05:26 -0400] Dave Reisner:
> On Sun, Oct 30, 2016 at 04:43:04PM -1000, Gaetan Bisson wrote:
> > I agree with Sébastien. We should encourage upstream to digitally sign
> > their releases, and verify their authenticity in our PKGBUILDs.
> >
> > Downloading releases over HTTPS gives a false sense of security:
> > everybody knows the CA model is severely broken. In terms of security
> > this simply does not compare with OpenPGP... In my view, switching our
> > download links to HTTPS is nothing but an annoyance.
>
> The CA model is broken. http clients have bugs. http servers have bugs.
> pgp has bugs. sovereign states might be snooping on connections. None of
> these are reasons to avoid an attempt at providing another layer of
> security. That's all TLS is and I'm not suggesting it's some panacea.
>
> Asking every upstream to provide a PGP signature isn't a process which
> will scale, and some of them will likely not be interested in doing such
> a thing. If an upstream won't provide PGP signatures, do you have
> another suggestion as to how we can secure our process of obtaining
> upstream sources in a reliable manner?
All the nuances in my message were apparently lost on you...
I said OpenPGP provides a much higher degree of security than HTTPS, so
that's what we should strive to use. Obviously, for cases where digital
signatures aren't available, downloading sources over HTTPS is better
than nothing. What I argued, however, is that it's not much better than
nothing, so we shouldn't become complacent and trust sources just
because they came over TLS.
Cheers.
--
Gaetan
More information about the arch-dev-public
mailing list