Re: VLC missing chain of trust
On 07/05/2017 10:33 AM, Sérgio Basto wrote: > Germano , > Are you simple request https on rpm spec ? or something else ? for > that you just need make one pull request via github for example ... I think he is concerned that you might have downloaded the source using http instead of https. That concern is easy to check by downloading the source via https and comparing the hash of the source in the rpm. A worse problem is that by default, vlc redirects to mirrors, that do not all use https, and the nightly versions are not signed. So he is suggesting that Fedora not use nightly versions - as there is not an easy chain of trust. However, the chain of trust can still be checked by manually downloading via https and not using a mirror. > On Tue, 2017-07-04 at 18:33 +0200, Germano Massullo wrote: >> VLC package shipped by RPMFusion is missing a chain of trust with >> upstream developers. >> As exhaustively explained by Fabio Pietrosanti (naif) at VLC bugreport >> [1], upstream has the bad habit to ship VLC using http instead of https. ___ rpmfusion-developers mailing list -- rpmfusion-developers@lists.rpmfusion.org To unsubscribe send an email to rpmfusion-developers-le...@lists.rpmfusion.org
Re: VLC missing chain of trust
Germano , Are you simple request https on rpm spec ? or something else ? for that you just need make one pull request via github for example ... On Tue, 2017-07-04 at 18:33 +0200, Germano Massullo wrote: > VLC package shipped by RPMFusion is missing a chain of trust with > upstream developers. > As exhaustively explained by Fabio Pietrosanti (naif) at VLC > bugreport > [1], upstream has the bad habit to ship VLC using http instead of > https. > You should argue that you could use GPG signing verification to avoid > man in the middle attacks (proof concept against VLC upstream at > [2]), > but actually Fedora 25 ships[3] nightlies builds, that are not signed > [4]. Instead, 2.2.6 version used to be at least signed[5], with a > self > signed certificate[6]. > I also filled a bugreport at [7] > > [1]: https://trac.videolan.org/vlc/ticket/18472 > [2]: https://github.com/drego85/Why-VLC-NEED-to-enforce-HTTPS > [3]: https://pkgs.rpmfusion.org/cgit/free/vlc.git/tree/vlc.spec?h=f25 > #n4 > [4]: http://nightlies.videolan.org/build/source/ > [5]: http://download.videolan.org/pub/videolan/vlc/2.2.6/ > [6]: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x7180713BE58D1AD > C > [7]: https://bugzilla.rpmfusion.org/show_bug.cgi?id=4584 > ___ > rpmfusion-developers mailing list -- rpmfusion-developers@lists.rpmfu > sion.org > To unsubscribe send an email to rpmfusion-developers-le...@lists.rpmf > usion.org -- Sérgio M. B. ___ rpmfusion-developers mailing list -- rpmfusion-developers@lists.rpmfusion.org To unsubscribe send an email to rpmfusion-developers-le...@lists.rpmfusion.org