From: Marius Bakke <mbakke@fastmail.com>
To: Ricardo Wurmus <rekado@elephly.net>, Mark H Weaver <mhw@netris.org>
Cc: 27437@debbugs.gnu.org
Subject: bug#27437: Source downloader accepts X.509 certificate for incorrect domain
Date: Fri, 23 Jun 2017 00:32:03 +0200 [thread overview]
Message-ID: <87shirodr0.fsf@fastmail.com> (raw)
In-Reply-To: <87o9tf1ytl.fsf@elephly.net>
[-- Attachment #1: Type: text/plain, Size: 1292 bytes --]
Ricardo Wurmus <rekado@elephly.net> writes:
> Mark H Weaver <mhw@netris.org> writes:
>
>> FWIW, I always check digital signatures when they're available, and I
>> hope that others will as well, but in practice we are putting our faith
>> in a large number of contributors, some of whom might not be so careful.
>
> I do the same when signatures are available. I couldn’t find this
> recommendation in “contributing.texi” — should we add it there?
I think so. Many contributors won't have used GnuPG before downloading
Guix and may not remember how/why when it's time to package something.
There are a fair amount of PyPi packages that are signed, I've been
meaning to make the updater aware of it. See scipy, numpy and friends.
Wouldn't mind if someone beats me to it!
As far as NSS goes, releases are announced at their "dev-tech-crypto"
mailing list[0], but the announcements are not signed either (nor do
they contain hashes). The only authenticity they provide is the TLS
connection to ftp.mozilla.org[1].
Anyone up for drafting an email to the list?
[0] https://lists.mozilla.org/listinfo/dev-tech-crypto
[1] SHA256 fingerprint (valid until 2020):
3B:9F:F6:DC:11:F8:96:B1:62:60:3D:29:36:0B:E6:4E:69:F8:34:E9:B3:7A:05:7A:5B:84:CD:54:E5:8E:7C:8B
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
next prev parent reply other threads:[~2017-06-22 22:33 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-21 6:17 bug#27437: Source downloader accepts X.509 certificate for incorrect domain Leo Famulari
2017-06-21 10:50 ` Ludovic Courtès
2017-06-22 4:09 ` Leo Famulari
2017-06-22 7:57 ` Ludovic Courtès
2017-06-22 16:16 ` Leo Famulari
2017-06-22 15:33 ` Mark H Weaver
2017-06-22 16:11 ` Leo Famulari
2017-06-22 19:12 ` Ludovic Courtès
2017-06-23 0:45 ` Mike Gerwitz
2017-06-23 9:31 ` Ludovic Courtès
2017-06-22 21:30 ` ng0
2017-06-22 21:45 ` Ricardo Wurmus
2017-06-22 22:32 ` Marius Bakke [this message]
2017-06-23 3:24 ` Leo Famulari
2017-06-23 7:29 ` Ricardo Wurmus
2017-07-27 12:29 ` Ludovic Courtès
2017-07-27 19:34 ` Ricardo Wurmus
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87shirodr0.fsf@fastmail.com \
--to=mbakke@fastmail.com \
--cc=27437@debbugs.gnu.org \
--cc=mhw@netris.org \
--cc=rekado@elephly.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.