On Mon, Oct 31, 2016 at 2:18 PM, Guillaume ALAUX <guillaume@xxxxxxxxxxxxx> wrote: > On Mon, Oct 31, 2016 at 4:16 PM, Levente Polyak <anthraxx@xxxxxxxxxxxxx> wrote: >> >> On 10/31/2016 04:03 PM, Patrick Burroughs (Celti) wrote: >> > As a middle ground, I think it would be more reasonable (or at least, >> > less unreasonable) to modify makepkg to allow signing PKGBUILDs, or at >> > least parts of them. For an existing example, OpenBSD's signify(1) uses >> > their cryptographic signature system to sign a simple list sha256sums. >> > >> > Perhaps makepkg could include, e.g., a sha256sumsigs array, that >> > contains a PGP signature (signed by the developer/TU's official key) >> > of the contents (properly serialised by makepkg so there's a minimum >> > of possible ambiguity) of the sha256sums array? >> > >> >> That is literally a _completely_ different topic that addresses >> _completely_ different areas. >> You are speaking about authenticating the build scripts itself. That >> does not solve _anything_ at all what this thread/topic/todo-list is about. >> >> Don't get me wrong: I don't judge about it at all, I'm just saying that >> both are fully independent from each other and you should please open a >> new thread if you want to discuss this rather then hijack this thread :) >> >> cheers, >> Levente >> > > Yes, these are two totally different subjects: "Encourage the use of > PGP signatures in our `source`" and "Using HTTPS on our `source`". > Let's stick to the original subject :) > > I am all in favor of a script to turn `http` into `https` when > available. Yeah HTTPS "brings a false sense of security" but still it > hardens a link in the build process. Sorry for your caches guys, I > might miss some background here but I couldn't imagine any reason to > go against adding some more security in our build process. Thanks fnodeuser.
