Ludovic Courtès writes:
> Ricardo Wurmus skribis:
>
>>>From 44b8f1c04713d11601d964ecfbe2fc248a15e7c0 Mon Sep 17 00:00:00 2001
>> From: Ricardo Wurmus
>> Date: Fri, 23 Jun 2017 09:24:58 +0200
>> Subject: [PATCH] doc: Encourage signature verification.
>>
>> * doc/contributing.texi (Submitting Pa
Ricardo Wurmus skribis:
>>From 44b8f1c04713d11601d964ecfbe2fc248a15e7c0 Mon Sep 17 00:00:00 2001
> From: Ricardo Wurmus
> Date: Fri, 23 Jun 2017 09:24:58 +0200
> Subject: [PATCH] doc: Encourage signature verification.
>
> * doc/contributing.texi (Submitting Patches): Remind contributors to verif
Mike Gerwitz skribis:
> On Thu, Jun 22, 2017 at 21:12:27 +0200, Ludovic Courtès wrote:
>> I think only GNU and kernel.org provide signatures, which represents 6%
>> of our packages. Of the 30% that do not have an updater, surely some
>> have digital signatures, but we’re probably still below 10%
Leo Famulari writes:
> On Thu, Jun 22, 2017 at 11:45:26PM +0200, Ricardo Wurmus wrote:
>>
>> Mark H Weaver writes:
>>
>> > FWIW, I always check digital signatures when they're available, and I
>> > hope that others will as well, but in practice we are putting our faith
>> > in a large number
On Thu, Jun 22, 2017 at 11:45:26PM +0200, Ricardo Wurmus wrote:
>
> Mark H Weaver writes:
>
> > FWIW, I always check digital signatures when they're available, and I
> > hope that others will as well, but in practice we are putting our faith
> > in a large number of contributors, some of whom mi
On Thu, Jun 22, 2017 at 21:12:27 +0200, Ludovic Courtès wrote:
> I think only GNU and kernel.org provide signatures, which represents 6%
> of our packages. Of the 30% that do not have an updater, surely some
> have digital signatures, but we’re probably still below 10%. The
> situation is bad in
Ricardo Wurmus writes:
> Mark H Weaver writes:
>
>> FWIW, I always check digital signatures when they're available, and I
>> hope that others will as well, but in practice we are putting our faith
>> in a large number of contributors, some of whom might not be so careful.
>
> I do the same when
Mark H Weaver writes:
> FWIW, I always check digital signatures when they're available, and I
> hope that others will as well, but in practice we are putting our faith
> in a large number of contributors, some of whom might not be so careful.
I do the same when signatures are available. I coul
Leo Famulari transcribed 2.4K bytes:
> On Thu, Jun 22, 2017 at 11:33:31AM -0400, Mark H Weaver wrote:
> > l...@gnu.org (Ludovic Courtès) writes:
> > > IOW, since we’re checking the integrity of the tarball anyway, and we
> > > assume developers checked its authenticity when writing the recipe, then
Leo Famulari skribis:
> On Thu, Jun 22, 2017 at 11:33:31AM -0400, Mark H Weaver wrote:
>> l...@gnu.org (Ludovic Courtès) writes:
>> > IOW, since we’re checking the integrity of the tarball anyway, and we
>> > assume developers checked its authenticity when writing the recipe, then
>> > who cares
On Thu, Jun 22, 2017 at 09:57:23AM +0200, Ludovic Courtès wrote:
> > Perhaps a MITM could send a huge file and fill up the disk or something
> > like that.
>
> I’m generally in favor of relying on X.509 certificates as little as
> possible, and in this case, while I agree that it could protect us
On Thu, Jun 22, 2017 at 11:33:31AM -0400, Mark H Weaver wrote:
> l...@gnu.org (Ludovic Courtès) writes:
> > IOW, since we’re checking the integrity of the tarball anyway, and we
> > assume developers checked its authenticity when writing the recipe, then
> > who cares whether downloads.xiph.org has
l...@gnu.org (Ludovic Courtès) writes:
> The behavior of the source download is on purpose as noted in (guix
> download):
>
>;; No need to validate certificates since we know the
>;; hash of the expected result.
>#:verify-cert
Leo Famulari skribis:
> On Wed, Jun 21, 2017 at 12:50:15PM +0200, Ludovic Courtès wrote:
>> Leo Famulari skribis:
>> > While working on some package updates, I found that the source code
>> > downloader will accept an X.509 certificate for an incorrect site.
>
> [...]
>
>> IOW, since we’re check
On Wed, Jun 21, 2017 at 12:50:15PM +0200, Ludovic Courtès wrote:
> Leo Famulari skribis:
> > While working on some package updates, I found that the source code
> > downloader will accept an X.509 certificate for an incorrect site.
[...]
> IOW, since we’re checking the integrity of the tarball a
Hi,
Leo Famulari skribis:
> While working on some package updates, I found that the source code
> downloader will accept an X.509 certificate for an incorrect site.
>
> Here is what happens:
>
> --
> $ ./pre-inst-env guix build -S opus-tools --check
> @ build-started
> /gnu/store/nn93hkik8k
While working on some package updates, I found that the source code
downloader will accept an X.509 certificate for an incorrect site.
Here is what happens:
--
$ ./pre-inst-env guix build -S opus-tools --check
@ build-started
/gnu/store/nn93hkik8kvrigcf2pvmym01zg7jqm4v-opus-tools-0.1.10.tar.
17 matches
Mail list logo
