From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) Subject: bug#27437: Source downloader accepts X.509 certificate for incorrect domain Date: Thu, 22 Jun 2017 21:12:27 +0200 Message-ID: <87wp83rg4k.fsf@gnu.org> References: <20170621061752.GA32412@jasmine.lan> <87lgolipi0.fsf@gnu.org> <87injohwac.fsf@netris.org> <20170622161108.GA15580@jasmine.lan> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:59940) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dO7XO-00061g-3f for bug-guix@gnu.org; Thu, 22 Jun 2017 15:13:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dO7XK-0003sJ-S1 for bug-guix@gnu.org; Thu, 22 Jun 2017 15:13:06 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:59020) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dO7XK-0003sE-OB for bug-guix@gnu.org; Thu, 22 Jun 2017 15:13:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dO7XK-00045b-Iw for bug-guix@gnu.org; Thu, 22 Jun 2017 15:13:02 -0400 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <20170622161108.GA15580@jasmine.lan> (Leo Famulari's message of "Thu, 22 Jun 2017 12:11:08 -0400") List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Leo Famulari Cc: 27437@debbugs.gnu.org Leo Famulari skribis: > On Thu, Jun 22, 2017 at 11:33:31AM -0400, Mark H Weaver wrote: >> ludo@gnu.org (Ludovic Court=C3=A8s) writes: >> > IOW, since we=E2=80=99re checking the integrity of the tarball anyway,= and we >> > assume developers checked its authenticity when writing the recipe, th= en >> > who cares whether downloads.xiph.org has a valid certificate? >> > >> > Conversely, =E2=80=98guix download=E2=80=99 always checks certificates= by default. >> > >> > Does it make sense? >>=20 >> Yes, and I agree with this behavior. However, it should be noted that >> this will reduce the security of a bad practice that I suspect is >> sometimes used by people when updating packages, namely to update the >> version number, try building it, and then copy the hash from the error >> message to the package. > > Yeah, that's a bad habit and I warn people against it whenever it comes > up :/ Agreed. That said, if we look at our updaters: --8<---------------cut here---------------start------------->8--- $ guix refresh --list-updaters=20 Available updaters: - cpan: Updater for CPAN packages (9.2% coverage) - cran: Updater for CRAN packages (4.0% coverage) - bioconductor: Updater for Bioconductor packages (1.2% coverage) - crates: Updater for crates.io packages (.0% coverage) - elpa: Updater for ELPA packages (.3% coverage) - gem: Updater for RubyGem packages (2.5% coverage) - github: Updater for GitHub packages (10.5% coverage) - hackage: Updater for Hackage packages (5.2% coverage) - pypi: Updater for PyPI packages (17.6% coverage) - stackage: Updater for Stackage LTS packages (5.2% coverage) - kernel.org: Updater for packages hosted on kernel.org (.5% coverage) - gnome: Updater for GNOME packages (2.9% coverage) - xorg: Updater for X.org packages (3.2% coverage) - gnu: Updater for GNU packages (5.6% coverage) - kde: Updater for KDE packages (1.3% coverage) 69.0% of the packages are covered by these updaters. --8<---------------cut here---------------end--------------->8--- I think only GNU and kernel.org provide signatures, which represents 6% of our packages. Of the 30% that do not have an updater, surely some have digital signatures, but we=E2=80=99re probably still below 10%. The situation is bad in general=E2=80=A6 Ludo=E2=80=99.