[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: copyright file and non-secure URL's

On Wed, Jun 18, 2014 at 04:10:19PM +0200, Vincent Lefevre wrote:
> But I wonder whether it is a good idea to promote only non-secure URL's
> to the source (at least if there are no associated signtures), as some
> packages do. One may also wonder whether the package maintainer has
> used such a URL to download upstream's source. For instance, for libc6,
> /usr/share/doc/libc6/copyright contains:
> --------
> It was put together by the GNU Libc Maintainers <debian-glibc@lists.debian.org>
> from <svn://svn.eglibc.org>
> --------

Whether the URL indicates a protocol that uses encryption or not needs
to be irrelevant. It's the integrity of the data that matters, not the
that of the transport. Indeed, the transport being encrypted tells us
nothing about the integrity of the data: an attacker may have replaced
the file on the real server. Transport encryption can protect against
eavesdroppers, but that's rarely relevant for Debian package sources.

This is why a separate digitial signature of the upstream source, made
with a trustable key, is needed, just like with Debian package
repositories. Most repositories are accessed over HTTP, not
HTTP+SSL/TLS, but packages can be trusted anyway, thanks to PGP
signatures on Release files, made with a key which can be verified via
the web of trust.

I, for one, oppose unthinkingly promoting bad encryption methods (such
as SSL and TLS).

http://www.cafepress.com/trunktees -- geeky funny T-shirts
http://gtdfh.branchable.com/ -- GTD for hackers

Reply to: