From mboxrd@z Thu Jan 1 00:00:00 1970 From: Alex Kost Subject: Re: Checking signatures on source tarballs Date: Wed, 07 Oct 2015 20:45:53 +0300 Message-ID: <87oagabmi6.fsf@gmail.com> References: <1443791046-1015-1-git-send-email-alezost@gmail.com> <1443791046-1015-3-git-send-email-alezost@gmail.com> <87d1wvadw2.fsf@gnu.org> <87bnceah2e.fsf@gmail.com> <87r3la6077.fsf@gnu.org> <87eghalc7s.fsf@gmail.com> <87wpv1tils.fsf@gnu.org> <87a8rwf2vl.fsf@gmail.com> <8737xntorr.fsf_-_@netris.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:58789) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Zjsmz-00068F-9F for guix-devel@gnu.org; Wed, 07 Oct 2015 13:46:06 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Zjsmt-0002ij-1x for guix-devel@gnu.org; Wed, 07 Oct 2015 13:46:03 -0400 Received: from mail-lb0-x22c.google.com ([2a00:1450:4010:c04::22c]:35076) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Zjsms-0002iY-QY for guix-devel@gnu.org; Wed, 07 Oct 2015 13:45:58 -0400 Received: by lbwr8 with SMTP id r8so19846049lbw.2 for ; Wed, 07 Oct 2015 10:45:58 -0700 (PDT) In-Reply-To: <8737xntorr.fsf_-_@netris.org> (Mark H. Weaver's message of "Tue, 06 Oct 2015 22:07:20 -0400") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: Mark H Weaver Cc: guix-devel@gnu.org Mark H Weaver (2015-10-07 05:07 +0300) wrote: > Alex Kost writes: > >> Ludovic Court=C3=A8s (2015-10-05 18:55 +0300) wrote: >> >>> Alex Kost skribis: >>> >>>> Ludovic Court=C3=A8s (2015-10-04 19:57 +0300) wrote: >>>> >>>>> However, if this is =E2=80=9Ctoo convenient=E2=80=9D, I=E2=80=99m afr= aid this would give an >>>>> incentive to not check OpenPGP signatures when they are available. >>>> >>>> Sorry, I have no idea what it means :-( >>> >>> When upstream digitally signs its source code tarballs, packagers should >>> check those signatures to authenticate the code they have. >>> >>> If the tool makes it too easy to fill out the =E2=80=98sha256=E2=80=99 = field without >>> going through the trouble of downloading the =E2=80=98.sig=E2=80=99 fil= e and checking >>> it, then people will have an incentive not to check those signatures. >> >> Oh, now I see what you mean. Well, I don't know, I think if a user has >> a habbit to check a signature, he will check it anyway; and if not, then >> not. > > I share Ludovic's concern. It is a serious problem if packagers fail to > check signatures. We should not provide mechanisms that encourage such > behavior. It jeopardizes the security of every user of those packages. OK, apparently I underestimate security issues, thanks. --=20 Alex