On Mon, 2016-10-31 at 17:03 -0400, Dave Reisner wrote: > On Mon, Oct 31, 2016 at 04:36:23PM -0400, Travis Burtrum wrote: > > From abb057844eec0e5707c31b643d0f2187b4cf0eb6 Mon Sep 17 00:00:00 > > 2001 > > From: Travis Burtrum <travis.archli...@burtrum.org> > > Date: Mon, 31 Oct 2016 02:12:31 -0400 > > Subject: [PATCH] Add per-repo PinnedPubKey option > > > > This sets curl's CURLOPT_PINNEDPUBLICKEY option in the built-in > > downloader, or replaces %p in XferCommand. This pins public > > keys to ensure your TLS connection is not man-in-the-middled > > without relying on CAs etc. Probably most useful currently > > for very small groups or single servers. > > > > It would obviously be best as a per-mirror option, but such > > a thing currently does not exist. > > But perhaps as part of a larger scope, it could... As mentioned on > IRC, > I'm not a huge fan of this.
Perhaps Pacman should just learn to respect HPKP? It's actually supported by wget now, take a look at ~/.wget-hsts. Pacman could have a similar file in the sync database directory. Then it just kicks in after the first connection and as long as Pacman keeps accessing that mirror it will keep updating the date. It could work quite well since we don't support not upgrading for long periods of time.
signature.asc
Description: This is a digitally signed message part
