On 11/12/2016 09:39 PM, Luke wrote: > Hello, > Many downstream projects are using your source files directly from your > FTP and packaging. This presents a problem. > > 1) Navigate to https://ftp.de.debian.org/debian/pool/main/ > 2) Click on ANY folder/subfolder of a popular project. > 3) The only checksum can be found in the .dsc file. > > While having the .dsc file is better than nothing, it does not allow > downstream to run GPG verification against the source files themselves. > Additionally, .dsc files only have SHA256 as the strongest checksum. > SHA1 and MD5 have been considered weak/broken for some time, per > Debian's own documentation. > > Please consider implementing a system similar to kernel.org's - > https://mirrors.kernel.org/sourceware/lvm2/releases/ > > In this scenario, each source tarball is signed with GPG, and a > SHA512SUM is included for the entire directory as well. Downstream can > then verify the GPG signature and the checksum easily. > > Thank you for your time and concern. > > > Sincerely, > Luke > Parabola GNU/Linux-libre Packager > > Hello, I forgot to mention - HTTPS is also not properly functioning on ftp.debian.org. Please consider adding HTTPS support as soon as possible. Thank you. Sincerely, Luke Paraboal GNU/Linux-libre Packager
Attachment:
signature.asc
Description: OpenPGP digital signature