Ville Skyttä wrote: >Standard procedures for >checking the authenticity of sources should include GPG/signature >checking (if available), checksum checking (if available, hopefully >signed), and cross checking with other consumers (e.g. other distros, >if available). But not using HTTPS, even if it's the only method available? >> If an upstream project doesn't PGP-sign the tarballs but does make >> them available over HTTPS, then the TLS connection is the only thing >> that ensures that the tarball you receive is the one that the >> developers published. > >No, it doesn't, at all. For example the server may have had all its >content compromised and serve all that over an HTTPS connection that >passes whatever validity and authenticity checks one might want to >throw at it. And how does sabotaging HTTPS improve the situation? Are you hoping that the attacker won't bother compromising the server because a man-in-the-middle attack on the unauthenticated connection will be easier? -- Björn Persson Sent from my computer.
Attachment:
signature.asc
Description: PGP signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
