On 2016-10-31 14:19, NicoHood wrote:
> I'd also vote for https. It does not hurt to use a secure channel to
> download the sources from. It would be great if we as ArchLinux team
> could make the first step into that direction.
>
> However if you write such a script, it should also check if an htt
[2016-11-01 09:55:11 -0400] Dave Reisner:
> On Mon, Oct 31, 2016 at 04:09:40PM -1000, Gaetan Bisson wrote:
> > [2016-10-31 10:05:26 -0400] Dave Reisner:
> > > On Sun, Oct 30, 2016 at 04:43:04PM -1000, Gaetan Bisson wrote:
> > > > I agree with Sébastien. We should encourage upstream to digitally sig
On 01/11, Sébastien Luttringer wrote:
On Sun, 2016-10-30 at 22:47 -0400, Dave Reisner wrote:
On Mon, Oct 31, 2016 at 03:23:48AM +0100, Sébastien Luttringer wrote:
> On Sun, 2016-10-30 at 20:55 -0400, Dave Reisner wrote:
> As I use a transparent http cache at home (2Mb/s bandwidth), so far I only
On Sun, 2016-10-30 at 22:47 -0400, Dave Reisner wrote:
> On Mon, Oct 31, 2016 at 03:23:48AM +0100, Sébastien Luttringer wrote:
> > On Sun, 2016-10-30 at 20:55 -0400, Dave Reisner wrote:
> > As I use a transparent http cache at home (2Mb/s bandwidth), so far I only
> > added the signature, and not t
On Mon, Oct 31, 2016 at 04:09:40PM -1000, Gaetan Bisson wrote:
> [2016-10-31 10:05:26 -0400] Dave Reisner:
> > On Sun, Oct 30, 2016 at 04:43:04PM -1000, Gaetan Bisson wrote:
> > > I agree with Sébastien. We should encourage upstream to digitally sign
> > > their releases, and verify their authentic
[2016-10-31 15:19:40 +0100] NicoHood:
> I'd also vote for https. It does not hurt to use a secure channel to
> download the sources from. It would be great if we as ArchLinux team
> could make the first step into that direction.
>
> Using PGP signatures is another discussion, also the hash algorit
[2016-10-31 10:05:26 -0400] Dave Reisner:
> On Sun, Oct 30, 2016 at 04:43:04PM -1000, Gaetan Bisson wrote:
> > I agree with Sébastien. We should encourage upstream to digitally sign
> > their releases, and verify their authenticity in our PKGBUILDs.
> >
> > Downloading releases over HTTPS gives a f
On Mon, Oct 31, 2016 at 03:33:42PM -0400, Dave Reisner wrote:
> On Mon, Oct 31, 2016 at 08:14:32PM +0100, Thomas Bächler wrote:
> > Am 31.10.2016 um 15:05 schrieb Dave Reisner:
> > > Asking every upstream to provide a PGP signature isn't a process which
> > > will scale,
> >
> > I am against enfor
On Mon, Oct 31, 2016 at 08:14:32PM +0100, Thomas Bächler wrote:
> Am 31.10.2016 um 15:05 schrieb Dave Reisner:
> > Asking every upstream to provide a PGP signature isn't a process which
> > will scale,
>
> I am against enforcing https for projects which provide signatures. As
> Sebastien pointed o
Am 31.10.2016 um 15:05 schrieb Dave Reisner:
> Asking every upstream to provide a PGP signature isn't a process which
> will scale,
I am against enforcing https for projects which provide signatures. As
Sebastien pointed out, there are valid reasons against using https and
it adds no benefit when
I'd also vote for https. It does not hurt to use a secure channel to
download the sources from. It would be great if we as ArchLinux team
could make the first step into that direction.
However if you write such a script, it should also check if an https
download is available, as not all websites p
On Sun, Oct 30, 2016 at 04:43:04PM -1000, Gaetan Bisson wrote:
> [2016-10-31 03:23:48 +0100] Sébastien Luttringer:
> > On Sun, 2016-10-30 at 20:55 -0400, Dave Reisner wrote:
> > > There's been a sizeable number of bugs filed over the past month or so
> > > about changin PKGBUILDs to acquire sources
On Mon, Oct 31, 2016 at 03:23:48AM +0100, Sébastien Luttringer wrote:
> On Sun, 2016-10-30 at 20:55 -0400, Dave Reisner wrote:
> > Hi all,
> >
> > There's been a sizeable number of bugs filed over the past month or so
> > about changin PKGBUILDs to acquire sources from https rather than http.
> >
[2016-10-31 03:23:48 +0100] Sébastien Luttringer:
> On Sun, 2016-10-30 at 20:55 -0400, Dave Reisner wrote:
> > There's been a sizeable number of bugs filed over the past month or so
> > about changin PKGBUILDs to acquire sources from https rather than http.
> > Rather than continue to flood the bug
On Sun, 2016-10-30 at 20:55 -0400, Dave Reisner wrote:
> Hi all,
>
> There's been a sizeable number of bugs filed over the past month or so
> about changin PKGBUILDs to acquire sources from https rather than http.
> Rather than continue to flood the bug tracker, would anyone mind if I
> wrote a sc
Hi all,
There's been a sizeable number of bugs filed over the past month or so
about changin PKGBUILDs to acquire sources from https rather than http.
Rather than continue to flood the bug tracker, would anyone mind if I
wrote a script to find instances of this and start a TODO list? This
would,
16 matches
Mail list logo
