[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#27437: Source downloader accepts X.509 certificate for incorrect dom
From: |
Leo Famulari |
Subject: |
bug#27437: Source downloader accepts X.509 certificate for incorrect domain |
Date: |
Thu, 22 Jun 2017 12:11:08 -0400 |
User-agent: |
Mutt/1.8.3 (2017-05-23) |
On Thu, Jun 22, 2017 at 11:33:31AM -0400, Mark H Weaver wrote:
> address@hidden (Ludovic Courtès) writes:
> > IOW, since we’re checking the integrity of the tarball anyway, and we
> > assume developers checked its authenticity when writing the recipe, then
> > who cares whether downloads.xiph.org has a valid certificate?
> >
> > Conversely, ‘guix download’ always checks certificates by default.
> >
> > Does it make sense?
>
> Yes, and I agree with this behavior. However, it should be noted that
> this will reduce the security of a bad practice that I suspect is
> sometimes used by people when updating packages, namely to update the
> version number, try building it, and then copy the hash from the error
> message to the package.
Yeah, that's a bad habit and I warn people against it whenever it comes
up :/
> FWIW, I always check digital signatures when they're available, and I
> hope that others will as well, but in practice we are putting our faith
> in a large number of contributors, some of whom might not be so careful.
>
> Also, sadly, many packages are distributed without digital signatures at
> all. One glaring example is NSS.
Do we have any contacts at Mozilla we can talk to about this? I imagine
it's a long shot, with many bureaucratic hurdles, but it's worth asking
for.
signature.asc
Description: PGP signature
- bug#27437: Source downloader accepts X.509 certificate for incorrect domain, Leo Famulari, 2017/06/21
- bug#27437: Source downloader accepts X.509 certificate for incorrect domain, ng0, 2017/06/22
- bug#27437: Source downloader accepts X.509 certificate for incorrect domain, Ricardo Wurmus, 2017/06/22
- bug#27437: Source downloader accepts X.509 certificate for incorrect domain, Marius Bakke, 2017/06/22
- bug#27437: Source downloader accepts X.509 certificate for incorrect domain, Leo Famulari, 2017/06/22
- bug#27437: Source downloader accepts X.509 certificate for incorrect domain, Ricardo Wurmus, 2017/06/23