On Mon, Oct 31, 2016 at 04:09:40PM -1000, Gaetan Bisson wrote: > [2016-10-31 10:05:26 -0400] Dave Reisner: > > On Sun, Oct 30, 2016 at 04:43:04PM -1000, Gaetan Bisson wrote: > > > I agree with Sébastien. We should encourage upstream to digitally sign > > > their releases, and verify their authenticity in our PKGBUILDs. > > > > > > Downloading releases over HTTPS gives a false sense of security: > > > everybody knows the CA model is severely broken. In terms of security > > > this simply does not compare with OpenPGP... In my view, switching our > > > download links to HTTPS is nothing but an annoyance. > > > > The CA model is broken. http clients have bugs. http servers have bugs. > > pgp has bugs. sovereign states might be snooping on connections. None of > > these are reasons to avoid an attempt at providing another layer of > > security. That's all TLS is and I'm not suggesting it's some panacea. > > > > Asking every upstream to provide a PGP signature isn't a process which > > will scale, and some of them will likely not be interested in doing such > > a thing. If an upstream won't provide PGP signatures, do you have > > another suggestion as to how we can secure our process of obtaining > > upstream sources in a reliable manner? > > All the nuances in my message were apparently lost on you... > > I said OpenPGP provides a much higher degree of security than HTTPS, so > that's what we should strive to use. Obviously, for cases where digital > signatures aren't available, downloading sources over HTTPS is better > than nothing. What I argued, however, is that it's not much better than > nothing, so we shouldn't become complacent and trust sources just > because they came over TLS. > > Cheers. > > -- > Gaetan
I'll take this to mean that you don't have any objections about adding additional layers of security. d