Hi all,
quick reminder that SourceForge was recently acquired and since then
has enabled HTTPS on all of the site. Since some PKGBUILDs fetch their
sources from SourceForge, it might be a good idea to switch them from
using plain http:// to https://.
While the certificate authority model is arguably broken when it comes
to protecting against state-sponsored attacks, this will give some
additional security to ensure that the sources packagers fetch and
generate the hash sums from are actually the sources the project
releases, and not a malicious man-in-the-middle response by some third
party.
Finding the affected packages should be as simple as running the
following in the ABS root:
for f in $(egrep -r -l 'http://.*\.sourceforge\.net' *); do \
echo $(dirname $f); done | uniq
I'm counting 937 affected packages here.
Cheers
Attachment:
signature.asc
Description: OpenPGP digital signature
