On Thu, Nov 21, 2013 at 08:41:21PM +0200, Ville Skyttä wrote: > On Thu, Nov 21, 2013 at 4:53 PM, Björn Persson > <bjorn@xxxxxxxxxxxxxxxxxxxx> wrote: > > Ville Skyttä wrote: > >>spectool is not a source verification tool nor a certificate > >>validation one, and I'm not going to help people get the misconception > >>that it might be something like that. > > > > So how do you think the verification should be done? > > Um, source verification needs to be done... by verifying the sources? > Diligence how deep maintainers want to go and their competence levels > vary, but there's really no way around it. Standard procedures for > checking the authenticity of sources should include GPG/signature > checking (if available), checksum checking (if available, hopefully > signed), and cross checking with other consumers (e.g. other distros, > if available). And authenticity checking is not verifying the sources > nor enough -- upstreams make mistakes too, and packagers should really > know what they're shipping, read and understand diffs between releases > etc etc. How many packagers do this? > > If an upstream project doesn't PGP-sign the tarballs but does make them > > available over HTTPS, then the TLS connection is the only thing that > > ensures that the tarball you receive is the one that the developers > > published. > > No, it doesn't, at all. For example the server may have had all its > content compromised and serve all that over an HTTPS connection that > passes whatever validity and authenticity checks one might want to > throw at it. Even if you read the diff, it might not help, because an important fix for a vulnerability might be missing. So there is no 100% security. However using HTTPS URLs with sane software should allow to trust that the TLS connection was properly verified. With the change you risk also persons who are e.g. upstream and Fedora maintainers using HTTPS URLs to fetch their published tarball. There is no need for them to use other out-of-band validation techniques to verify that the tarball they downloaded is the same they uploaded unless they have reasonable doubt about their system. However, if you do not want to use HTTPS to verify the transfered contents then just use plain HTTP. Using HTTPS but not verifying the server's certificate makes things only worse as long as no secret contents are transmitted. Regards Till -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
