Hi, On 07/06/17 at 09:44am, NicoHood wrote: > On 07/06/2017 09:12 AM, Bartłomiej Piotrowski wrote: > > On 2017-07-06 02:11, NicoHood wrote: > >> On 07/05/2017 12:10 AM, Christian Hesse wrote: > >>> Dave Reisner <d...@falconindy.com> on Sat, 2017/07/01 13:22: > >>>> Hey all, > >>>> > >>>> This should be pretty much a no-brainer, but wanted to be sure I wasn't > >>>> missing anything. Systemd upstream publishes a "systemd-stable" repo [1] > >>>> which branches at each tag and cherry-picks backports. I'd like to > >>>> switch our systemd package to this repo to avoid some of the duplication > >>>> of work that Jan, Christian and myself have done in the past. The repo > >>>> sees a bunch more activity than what our own backporting strategy has > >>>> been, and I see that as a positive. > >>> > >>> Just a little heads-up... systemd 233.75-1 landed in [testing]. So give > >>> it a > >>> try! ;) > >>> > >>> BTW, we had just one backported commit to be removed, so 74 new commits > >>> landed in this package compared to 233-7. Let's hope this gives some > >>> benefit. > >>> > >> > >> Systemd still does not use https sources. Regarding the recent > >> discussion about tricking git about wrong tags and other evil stuff it > >> is highly recommended to switch to https. Please do it in favor for all > >> ArchLinux users security. > >> > >> Once more the reference: > >> https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/torres-arias > >> > > > > Regarding the recent discussion: > > > > https://lists.archlinux.org/pipermail/arch-dev-public/2017-July/028919.html > > > > I really hoped I don't have to put "NicoHood" on top to make you realize > > it's addressed to you. Please do it in favor for all Arch Linux packagers. > > > > What are you blaming me for now? This is a package everyone must install > and you are telling me we have other serious problems? Sure we have, but > compared to the time it takes to add an "s" to "http" this is a simple > excuse. And this is not about checksums man, this is about https where > even gpg signatures by git can be tricked.
I believe that a large group of Dev/Tu's do believe that security is a serious issue and that we should put some effort into security. And I can't thank everyone enough who has done a lot of work for example for the Security Tracker. A few people have worked hard, without much complaining and realy made a difference. For the whole signing issue we have a todolist for GPG signatures and never decided as far as I know on the sha256 or sha512 (or any poison) sums. Yet there is one individual in our community who keeps harassing (yes it's called harassment) Dev/Tu's to get GPG / HTTPS in PKGBUILD's. I would appreciate it if the discussion regarding GPG sigs etc, would be less dramatic. I'm kinda done with these requirements if I keep getting bugged that it's missing md5sums, https while I have a GPG sig. Calling out people, bugging them, isn't really the method to get things done. Note that this is my personal opinion, I surely do not speak for Arch as a whole. > And yes, I am doing stuff in the background. I wrote a guide and a tool > that simplifies source code signing[1] and I am doing a detailed > security analysis on all ArchLinux packages. And once it is ready I will > request gpg signatures from every upstream source, especially packages > from [core]. I appreciate the effort of contacting upstream about providing GPG signatures, that's really great! -- Jelle van der Waa
signature.asc
Description: PGP signature