Ville Skyttä wrote:
Standard procedures for
checking the authenticity of sources should include GPG/signature
checking (if available), checksum checking (if available, hopefully
signed), and cross checking with other consumers (e.g. other distros,
if available).
But not using HTTPS, even if it's the only method available?
> If an upstream project doesn't PGP-sign the tarballs but does
make
> them available over HTTPS, then the TLS connection is the only thing
> that ensures that the tarball you receive is the one that the
> developers published.
No, it doesn't, at all. For example the server may have had all its
content compromised and serve all that over an HTTPS connection that
passes whatever validity and authenticity checks one might want to
throw at it.
And how does sabotaging HTTPS improve the situation?
Are you hoping that the attacker won't bother compromising the server
because a man-in-the-middle attack on the unauthenticated connection
will be easier?
--
Björn Persson
Sent from my computer.