[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Checking signatures on source tarballs
From: |
Alex Kost |
Subject: |
Re: Checking signatures on source tarballs |
Date: |
Wed, 07 Oct 2015 20:45:53 +0300 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) |
Mark H Weaver (2015-10-07 05:07 +0300) wrote:
> Alex Kost <address@hidden> writes:
>
>> Ludovic Courtès (2015-10-05 18:55 +0300) wrote:
>>
>>> Alex Kost <address@hidden> skribis:
>>>
>>>> Ludovic Courtès (2015-10-04 19:57 +0300) wrote:
>>>>
>>>>> However, if this is “too convenient”, I’m afraid this would give an
>>>>> incentive to not check OpenPGP signatures when they are available.
>>>>
>>>> Sorry, I have no idea what it means :-(
>>>
>>> When upstream digitally signs its source code tarballs, packagers should
>>> check those signatures to authenticate the code they have.
>>>
>>> If the tool makes it too easy to fill out the ‘sha256’ field without
>>> going through the trouble of downloading the ‘.sig’ file and checking
>>> it, then people will have an incentive not to check those signatures.
>>
>> Oh, now I see what you mean. Well, I don't know, I think if a user has
>> a habbit to check a signature, he will check it anyway; and if not, then
>> not.
>
> I share Ludovic's concern. It is a serious problem if packagers fail to
> check signatures. We should not provide mechanisms that encourage such
> behavior. It jeopardizes the security of every user of those packages.
OK, apparently I underestimate security issues, thanks.
--
Alex
- Re: [bug-gsrc] Checking signatures on source tarballs, (continued)
- Re: Checking signatures on source tarballs, Ludovic Courtès, 2015/10/12
- Re: Checking signatures on source tarballs, Alex Vong, 2015/10/10
- Re: Checking signatures on source tarballs, Mark H Weaver, 2015/10/10
- Re: Checking signatures on source tarballs, Ludovic Courtès, 2015/10/11
- Re: Checking signatures on source tarballs, Rastus Vernon, 2015/10/15
- Re: Checking signatures on source tarballs, Mark H Weaver, 2015/10/15
- Re: Checking signatures on source tarballs,
Alex Kost <=
- Re: Checking signatures on source tarballs, Andreas Enge, 2015/10/08
[PATCH 1/4] emacs: Add 'guix-devel-with-definition'., Alex Kost, 2015/10/08