From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54512) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1e9FWd-0002fg-Rk for guix-patches@gnu.org; Mon, 30 Oct 2017 15:15:08 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1e9FWY-00030q-4R for guix-patches@gnu.org; Mon, 30 Oct 2017 15:15:07 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:33962) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1e9FWY-00030i-0v for guix-patches@gnu.org; Mon, 30 Oct 2017 15:15:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1e9FWX-0003i0-Kk for guix-patches@gnu.org; Mon, 30 Oct 2017 15:15:01 -0400 Subject: [bug#29046] [PATCH] gnu: linux-libre: Change URL to HTTPS. Resent-Message-ID: From: Mark H Weaver References: <70ee5da890c2fe609d54af4a3e1f18df@mykolab.com> <30a6703bf921961424f93af098f2ec8f@mykolab.com> <20171030144408.GB27298@jasmine.lan> Date: Mon, 30 Oct 2017 15:14:10 -0400 In-Reply-To: <20171030144408.GB27298@jasmine.lan> (Leo Famulari's message of "Mon, 30 Oct 2017 10:44:08 -0400") Message-ID: <87po94cut9.fsf@netris.org> MIME-Version: 1.0 Content-Type: text/plain List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Leo Famulari Cc: 29046@debbugs.gnu.org, Rutger Helling Hi Leo, Leo Famulari writes: > On Mon, Oct 30, 2017 at 08:06:39AM +0100, Rutger Helling wrote: >> I noticed linux-libre had already been updated, so this new patch only >> changes the URL to HTTPS. > >> From b68a2c630258324628a7ef34005ff1d790a3a139 Mon Sep 17 00:00:00 2001 >> From: Rutger Helling >> Date: Mon, 30 Oct 2017 08:02:10 +0100 >> Subject: [PATCH] gnu: linux-libre: Change URL to HTTPS. >> >> * gnu/packages/linux.scm (linux-libre): Change URL to HTTPS. > > Hi! Thanks for paying attention to the linux-libre packages. > > I'm copying Mark on this email, since he typically handles the > linux-libre packages. Mark, what do you think of this change? Thanks for bringing this to my attention. I'm not strongly opposed to it, but in general, I'm not sure I understand the rationale for changing source URLs to use HTTPS. We already verify the authenticity of the downloaded file by SHA256 hash, and verify the GPG signature when updating to a new version. Both of these are far stronger than HTTPS, which in practice can be subverted by compromising *any* certificate authority listed in our trust database (in Mozilla NSS). HTTPS also fails to hide from an evesdropper which file was downloaded, because in practice that can be determined by the amount of data transferred. So, unless I'm mistaken, HTTPS doesn't provide any benefit to us here. On the other hand, using HTTPS entails using more complex code to download the files, which exposes a much larger attack surface that might be exploited to compromise our systems. Many security flaws have been uncovered in TLS libraries over the years. Using HTTPS also adds more load on the server. In summary, I'm mildly opposed to this change, but if I've made a mistake in my reasoning here, or if other people feel strongly, I'm okay either way. What do you think? Mark