From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: bug#27437: Source downloader accepts X.509 certificate for incorrect domain Date: Thu, 22 Jun 2017 12:11:08 -0400 Message-ID: <20170622161108.GA15580@jasmine.lan> References: <20170621061752.GA32412@jasmine.lan> <87lgolipi0.fsf@gnu.org> <87injohwac.fsf@netris.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="ew6BAiZeqk4r7MaW" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:43146) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dO4iF-0002lS-Tp for bug-guix@gnu.org; Thu, 22 Jun 2017 12:12:08 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dO4iB-0006VD-9y for bug-guix@gnu.org; Thu, 22 Jun 2017 12:12:07 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:58899) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dO4iB-0006V2-6e for bug-guix@gnu.org; Thu, 22 Jun 2017 12:12:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dO4i9-0008Ra-OI for bug-guix@gnu.org; Thu, 22 Jun 2017 12:12:02 -0400 Sender: "Debbugs-submit" Resent-Message-ID: Content-Disposition: inline In-Reply-To: <87injohwac.fsf@netris.org> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Mark H Weaver Cc: 27437@debbugs.gnu.org --ew6BAiZeqk4r7MaW Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jun 22, 2017 at 11:33:31AM -0400, Mark H Weaver wrote: > ludo@gnu.org (Ludovic Court=C3=A8s) writes: > > IOW, since we=E2=80=99re checking the integrity of the tarball anyway, = and we > > assume developers checked its authenticity when writing the recipe, then > > who cares whether downloads.xiph.org has a valid certificate? > > > > Conversely, =E2=80=98guix download=E2=80=99 always checks certificates = by default. > > > > Does it make sense? >=20 > Yes, and I agree with this behavior. However, it should be noted that > this will reduce the security of a bad practice that I suspect is > sometimes used by people when updating packages, namely to update the > version number, try building it, and then copy the hash from the error > message to the package. Yeah, that's a bad habit and I warn people against it whenever it comes up :/ > FWIW, I always check digital signatures when they're available, and I > hope that others will as well, but in practice we are putting our faith > in a large number of contributors, some of whom might not be so careful. >=20 > Also, sadly, many packages are distributed without digital signatures at > all. One glaring example is NSS. Do we have any contacts at Mozilla we can talk to about this? I imagine it's a long shot, with many bureaucratic hurdles, but it's worth asking for. --ew6BAiZeqk4r7MaW Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAllL7BkACgkQJkb6MLrK fwhVbQ/9GY29rXJkWg3XgcDso7vjSp4J2wfooB1b2572z0oqkE4Q+N9gs2ApdI8D iLY206weA+PZakOVJ2oA4LMa/n1yU0S3hoZvOJkExPfhN81Oe7DcxflOCYRZeA8j uVsZRTjfm4dvoIUxKCleekOa2lvvYf04UbXbWHjbfP03L+LPxsvuNWJ7J7YLZtxF LM9GnF0J549HjTuRnmkmDo7gnmRY1FwucycNSKeGwnzx8EmjAsd5bJK96HQ94bhS fm1UiREyssSDsa5LOW+fKSGgu9FNDrPKwv8A9OezUUDTUAiQNB05ho0trCCPlkPv 1903UJ5Uy/dY7liTdTngkfJib7sxhdc3zX6hI47WjpNc60EzY2L01my1sO2sYG9J /G1iL/1tRyKtVSI1hZ/Csyvvfhwbv83aYnDLRj7/r+7wWv8uiLbJQX3Zlq1pkYXK ed+iThWPlU8oM8z0cI4ZZxq4SEPBfgqjZ7xmKahrAA/zjMx3wJ3Py3ngfZH82YZ0 Dp6zFDRR968LtcEsDvMILM8spzubaCy/lcJHhTvDNMuNFjp7Uq5fXMLUI6eUomDo MoTM6w9tRqkzYAb1BtBhjiyXwyzLHled0zsREZgzow3qy+mJy3P70vJBQGH+N/Wu Bw4aUDyLNLz2sWSbmLzKip4dmbOczZ1LTvPj20sbhXeb1f+j72Q= =PMC0 -----END PGP SIGNATURE----- --ew6BAiZeqk4r7MaW--