From mboxrd@z Thu Jan 1 00:00:00 1970 From: ng0 Subject: bug#27437: Source downloader accepts X.509 certificate for incorrect domain Date: Thu, 22 Jun 2017 21:30:36 +0000 Message-ID: <20170622213036.kvcwug7l3xf5yyhu@abyayala> References: <20170621061752.GA32412@jasmine.lan> <87lgolipi0.fsf@gnu.org> <87injohwac.fsf@netris.org> <20170622161108.GA15580@jasmine.lan> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="hs7gxfkayjfw2mje" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:55602) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dO9hv-00077X-2P for bug-guix@gnu.org; Thu, 22 Jun 2017 17:32:08 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dO9hq-00048b-KL for bug-guix@gnu.org; Thu, 22 Jun 2017 17:32:07 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:59165) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dO9hq-00048R-Gt for bug-guix@gnu.org; Thu, 22 Jun 2017 17:32:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dO9hq-0002HU-29 for bug-guix@gnu.org; Thu, 22 Jun 2017 17:32:02 -0400 Sender: "Debbugs-submit" Resent-Message-ID: Content-Disposition: inline In-Reply-To: <20170622161108.GA15580@jasmine.lan> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Leo Famulari Cc: 27437@debbugs.gnu.org --hs7gxfkayjfw2mje Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Leo Famulari transcribed 2.4K bytes: > On Thu, Jun 22, 2017 at 11:33:31AM -0400, Mark H Weaver wrote: > > ludo@gnu.org (Ludovic Court=C3=A8s) writes: > > > IOW, since we=E2=80=99re checking the integrity of the tarball anyway= , and we > > > assume developers checked its authenticity when writing the recipe, t= hen > > > who cares whether downloads.xiph.org has a valid certificate? > > > > > > Conversely, =E2=80=98guix download=E2=80=99 always checks certificate= s by default. > > > > > > Does it make sense? > >=20 > > Yes, and I agree with this behavior. However, it should be noted that > > this will reduce the security of a bad practice that I suspect is > > sometimes used by people when updating packages, namely to update the > > version number, try building it, and then copy the hash from the error > > message to the package. >=20 > Yeah, that's a bad habit and I warn people against it whenever it comes > up :/ >=20 > > FWIW, I always check digital signatures when they're available, and I > > hope that others will as well, but in practice we are putting our faith > > in a large number of contributors, some of whom might not be so careful. > >=20 > > Also, sadly, many packages are distributed without digital signatures at > > all. One glaring example is NSS. >=20 > Do we have any contacts at Mozilla we can talk to about this? I imagine > it's a long shot, with many bureaucratic hurdles, but it's worth asking > for. One way is their bugtracker. Does anyone of us have an Account at their bugzilla? If it can't be discussed via bugzilla, there must be some mailinglist for the nss development. --=20 ng0 OpenPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588 https://krosos.org/~/ng0/ https://www.infotropique.org --hs7gxfkayjfw2mje Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEqIyK3RKYKNfqwC5S4i+bv+40hYgFAllMNvwACgkQ4i+bv+40 hYjdOA/+J9Hwgkasn6qg0+SlrzOn20tKGcUjWvSPX3lW6N5F7Kz4wSN61ClQ9eiV uhAqJB5ld9Brfy5c0gUbbV1XwRpd5sf7ygZjqdv2nlOpVmX+g83+N/tBdKyX17cJ yGLPAMAVVE+q5ipw+800GLIcBtiITTuc6bTxbQLnSFG0M9OaqHASaX/DiC9UkC4w c8Lrhy6Thqfcj8BoSOvTlJKZj0Ksjs/Qg9lQbng82QS8XBXJ0+l0mIGOsmyGT9hl aiBsK3ioEujPQALplKg4cGFXNP261pJxUte48b5EQoowyWTAMkMQDWONsC6wzbCq e53REmfQTWOpwExJsavJ3jXuKO6CszeKibdcixCjuiQBGUmp2Q0hNUCrVtPLqC/m MVmBvz0/SNTF09MHRucZ1AE/LYYHTNVbI/u81l7FYHFqSiXg3qYPk1WI4hUnXEe6 W3t9vw193SKhG/WxHfZyv0Z/grzmSGeKI+WWAQppAILtTccWqX3iZeauZkQTOWEh LzexlOnHs659tpHEVTp1RIFi4rflgRumBLHSfDs+yQfNhHv10nvq2HWt9esDSJbu B9T0GlQtMIBDNAsH4A695IIB0grK87agVn/EASSNqWFmUkQwM58USgyr1VRfp5hI YATkeVsIL70gxjYOLgXfxxDHJvI6U5H0XvxsRIDklMte7JTmjdU= =RgmJ -----END PGP SIGNATURE----- --hs7gxfkayjfw2mje--