From mboxrd@z Thu Jan  1 00:00:00 1970
From: Mark H Weaver <mhw@netris.org>
Subject: Re: Checking signatures on source tarballs
Date: Thu, 15 Oct 2015 09:33:54 -0400
Message-ID: <87wpuoz265.fsf@netris.org>
References: <1443791046-1015-1-git-send-email-alezost@gmail.com>
	<1443791046-1015-3-git-send-email-alezost@gmail.com>
	<87d1wvadw2.fsf@gnu.org> <87bnceah2e.fsf@gmail.com>
	<87r3la6077.fsf@gnu.org> <87eghalc7s.fsf@gmail.com>
	<87wpv1tils.fsf@gnu.org> <87a8rwf2vl.fsf@gmail.com>
	<8737xntorr.fsf_-_@netris.org> <87k2qy7uj7.fsf@gnu.org>
	<87io6iojmf.fsf@netris.org> <87bnca2y59.fsf@gnu.org>
	<1444800788.3026.16.camel@openmailbox.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:45379)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mhw@netris.org>) id 1ZmifV-00057Y-Tz
	for guix-devel@gnu.org; Thu, 15 Oct 2015 09:34:10 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mhw@netris.org>) id 1ZmifS-0002bD-M8
	for guix-devel@gnu.org; Thu, 15 Oct 2015 09:34:05 -0400
Received: from world.peace.net ([50.252.239.5]:53824)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mhw@netris.org>) id 1ZmifS-0002am-ID
	for guix-devel@gnu.org; Thu, 15 Oct 2015 09:34:02 -0400
In-Reply-To: <1444800788.3026.16.camel@openmailbox.org> (Rastus Vernon's
	message of "Wed, 14 Oct 2015 01:33:08 -0400")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
To: Rastus Vernon <rvernon@openmailbox.org>
Cc: guix-devel@gnu.org

Rastus Vernon <rvernon@openmailbox.org> writes:

> When the code comes from a Git repository, it's possible for the source
> tarballs not to be signed (or not to exist at all), but for the tags in
> the repository to be signed at each release. In these cases, there is
> no signature file, but this is still a way for packagers to verify the
> authenticity of the source code.

Good point!

> Ludovic Court=C3=A8s wrote:
>> When I download a package, the best I can do is to download its .sig=20
>> and check it, optionally adding the corresponding public key to my
>> keyring if it=E2=80=99s missing.  And that=E2=80=99s it.
>
> A small improvement is to download the signature from another location
> (for example a public library, or using a proxy or Tor) and compare the
> two to verify that they are the same. This makes a MiTM attack between
> the server and the computer the signature is downloaded to nearly
> impossible.

It is indeed "a small improvement", but I strongly disagree that it's
"nearly impossible".  A compromised router or switch near the server
could successfully perform MiTM attacks even if Tor is used.  In most
cases this is well within the capabilities of the NSA or GCHQ, as is
breaking into the server itself.

      Mark