From mboxrd@z Thu Jan  1 00:00:00 1970
From: Alex Kost <alezost@gmail.com>
Subject: Re: Checking signatures on source tarballs
Date: Wed, 07 Oct 2015 20:45:53 +0300
Message-ID: <87oagabmi6.fsf@gmail.com>
References: <1443791046-1015-1-git-send-email-alezost@gmail.com>
	<1443791046-1015-3-git-send-email-alezost@gmail.com>
	<87d1wvadw2.fsf@gnu.org> <87bnceah2e.fsf@gmail.com>
	<87r3la6077.fsf@gnu.org> <87eghalc7s.fsf@gmail.com>
	<87wpv1tils.fsf@gnu.org> <87a8rwf2vl.fsf@gmail.com>
	<8737xntorr.fsf_-_@netris.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:58789)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <alezost@gmail.com>) id 1Zjsmz-00068F-9F
	for guix-devel@gnu.org; Wed, 07 Oct 2015 13:46:06 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <alezost@gmail.com>) id 1Zjsmt-0002ij-1x
	for guix-devel@gnu.org; Wed, 07 Oct 2015 13:46:03 -0400
Received: from mail-lb0-x22c.google.com ([2a00:1450:4010:c04::22c]:35076)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <alezost@gmail.com>) id 1Zjsms-0002iY-QY
	for guix-devel@gnu.org; Wed, 07 Oct 2015 13:45:58 -0400
Received: by lbwr8 with SMTP id r8so19846049lbw.2
	for <guix-devel@gnu.org>; Wed, 07 Oct 2015 10:45:58 -0700 (PDT)
In-Reply-To: <8737xntorr.fsf_-_@netris.org> (Mark H. Weaver's message of "Tue,
	06 Oct 2015 22:07:20 -0400")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
To: Mark H Weaver <mhw@netris.org>
Cc: guix-devel@gnu.org

Mark H Weaver (2015-10-07 05:07 +0300) wrote:

> Alex Kost <alezost@gmail.com> writes:
>
>> Ludovic Court=C3=A8s (2015-10-05 18:55 +0300) wrote:
>>
>>> Alex Kost <alezost@gmail.com> skribis:
>>>
>>>> Ludovic Court=C3=A8s (2015-10-04 19:57 +0300) wrote:
>>>>
>>>>> However, if this is =E2=80=9Ctoo convenient=E2=80=9D, I=E2=80=99m afr=
aid this would give an
>>>>> incentive to not check OpenPGP signatures when they are available.
>>>>
>>>> Sorry, I have no idea what it means :-(
>>>
>>> When upstream digitally signs its source code tarballs, packagers should
>>> check those signatures to authenticate the code they have.
>>>
>>> If the tool makes it too easy to fill out the =E2=80=98sha256=E2=80=99 =
field without
>>> going through the trouble of downloading the =E2=80=98.sig=E2=80=99 fil=
e and checking
>>> it, then people will have an incentive not to check those signatures.
>>
>> Oh, now I see what you mean.  Well, I don't know, I think if a user has
>> a habbit to check a signature, he will check it anyway; and if not, then
>> not.
>
> I share Ludovic's concern.  It is a serious problem if packagers fail to
> check signatures.  We should not provide mechanisms that encourage such
> behavior.  It jeopardizes the security of every user of those packages.

OK, apparently I underestimate security issues, thanks.

--=20
Alex