On Thu, Nov 21, 2013 at 4:53 PM, Björn Persson <bjorn@xxxxxxxxxxxxxxxxxxxx> wrote: > Ville Skyttä wrote: >>spectool is not a source verification tool nor a certificate >>validation one, and I'm not going to help people get the misconception >>that it might be something like that. > > So how do you think the verification should be done? Um, source verification needs to be done... by verifying the sources? Diligence how deep maintainers want to go and their competence levels vary, but there's really no way around it. Standard procedures for checking the authenticity of sources should include GPG/signature checking (if available), checksum checking (if available, hopefully signed), and cross checking with other consumers (e.g. other distros, if available). And authenticity checking is not verifying the sources nor enough -- upstreams make mistakes too, and packagers should really know what they're shipping, read and understand diffs between releases etc etc. > If an upstream project doesn't PGP-sign the tarballs but does make them > available over HTTPS, then the TLS connection is the only thing that > ensures that the tarball you receive is the one that the developers > published. No, it doesn't, at all. For example the server may have had all its content compromised and serve all that over an HTTPS connection that passes whatever validity and authenticity checks one might want to throw at it. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
