From mboxrd@z Thu Jan 1 00:00:00 1970 From: Marius Bakke Subject: bug#27437: Source downloader accepts X.509 certificate for incorrect domain Date: Fri, 23 Jun 2017 00:32:03 +0200 Message-ID: <87shirodr0.fsf@fastmail.com> References: <20170621061752.GA32412@jasmine.lan> <87lgolipi0.fsf@gnu.org> <87injohwac.fsf@netris.org> <87o9tf1ytl.fsf@elephly.net> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:37903) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dOAex-0003pt-21 for bug-guix@gnu.org; Thu, 22 Jun 2017 18:33:08 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dOAet-0001gY-3Z for bug-guix@gnu.org; Thu, 22 Jun 2017 18:33:07 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:59188) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dOAes-0001fI-Td for bug-guix@gnu.org; Thu, 22 Jun 2017 18:33:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dOAes-0003v0-Fw for bug-guix@gnu.org; Thu, 22 Jun 2017 18:33:02 -0400 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <87o9tf1ytl.fsf@elephly.net> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Ricardo Wurmus , Mark H Weaver Cc: 27437@debbugs.gnu.org --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Ricardo Wurmus writes: > Mark H Weaver writes: > >> FWIW, I always check digital signatures when they're available, and I >> hope that others will as well, but in practice we are putting our faith >> in a large number of contributors, some of whom might not be so careful. > > I do the same when signatures are available. I couldn=E2=80=99t find this > recommendation in =E2=80=9Ccontributing.texi=E2=80=9D =E2=80=94 should we= add it there? I think so. Many contributors won't have used GnuPG before downloading Guix and may not remember how/why when it's time to package something. There are a fair amount of PyPi packages that are signed, I've been meaning to make the updater aware of it. See scipy, numpy and friends. Wouldn't mind if someone beats me to it! As far as NSS goes, releases are announced at their "dev-tech-crypto" mailing list[0], but the announcements are not signed either (nor do they contain hashes). The only authenticity they provide is the TLS connection to ftp.mozilla.org[1]. Anyone up for drafting an email to the list? [0] https://lists.mozilla.org/listinfo/dev-tech-crypto [1] SHA256 fingerprint (valid until 2020): 3B:9F:F6:DC:11:F8:96:B1:62:60:3D:29:36:0B:E6:4E:69:F8:34:E9:B3:7A:05:7A:5B:= 84:CD:54:E5:8E:7C:8B --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAllMRWMACgkQoqBt8qM6 VPpuvggA03QL1i5cdcVebiDtIo91xLrvsqSG+oz9U0JHT7SRnLquPJ4253DnM1NC yx9o4wpyJR5zzjrC1PfnkzWiqYOcncjulULhnj04uDyXrHJpFNkUzoAVBnEB8ZRX 0ey1MaHdjVAcmo+9fSrPyqfYbd8iJrd7ALz3j/Gi2OKLLPoIMgRDLDLKpLZ0mh5k WU/yQS64fV8EKWRqDEwObHlzMKhVfAZUZjB3rUwlkRTF2QRUt3yZ6iOT0eLYOuW1 I4yYZBO40arGaV6TXB9g6g8iL5Tw0XJFMpgKD7sai/51+nWWH8fnnkwrSt83PLE9 tnpn+js8t9RFvGSHM1teUN1m5SNyFw== =5EBb -----END PGP SIGNATURE----- --=-=-=--