On Mon, Feb 15, 2016 at 8:14 PM, Nicolas F. <archlist@xxxxxxxxx> wrote: > Hi all, > > quick reminder that SourceForge was recently acquired and since then > has enabled HTTPS on all of the site. Since some PKGBUILDs fetch their > sources from SourceForge, it might be a good idea to switch them from > using plain http:// to https://. > > While the certificate authority model is arguably broken when it comes > to protecting against state-sponsored attacks, this will give some > additional security to ensure that the sources packagers fetch and > generate the hash sums from are actually the sources the project > releases, and not a malicious man-in-the-middle response by some third > party. > > Finding the affected packages should be as simple as running the > following in the ABS root: > > for f in $(egrep -r -l 'http://.*\.sourceforge\.net' *); do \ > echo $(dirname $f); done | uniq > > I'm counting 937 affected packages here. Cool, any reason why didn't submit a patch? Just curious, as you already went ahead and did the legwork.
