On Thu, Nov 21, 2013 at 08:41:21PM +0200, Ville Skyttä wrote:
On Thu, Nov 21, 2013 at 4:53 PM, Björn Persson
> Ville Skyttä wrote:
>>spectool is not a source verification tool nor a certificate
>>validation one, and I'm not going to help people get the misconception
>>that it might be something like that.
> So how do you think the verification should be done?
Um, source verification needs to be done... by verifying the sources?
Diligence how deep maintainers want to go and their competence levels
vary, but there's really no way around it. Standard procedures for
checking the authenticity of sources should include GPG/signature
checking (if available), checksum checking (if available, hopefully
signed), and cross checking with other consumers (e.g. other distros,
if available). And authenticity checking is not verifying the sources
nor enough -- upstreams make mistakes too, and packagers should really
know what they're shipping, read and understand diffs between releases
How many packagers do this?
> If an upstream project doesn't PGP-sign the tarballs but
does make them
> available over HTTPS, then the TLS connection is the only thing that
> ensures that the tarball you receive is the one that the developers
No, it doesn't, at all. For example the server may have had all its
content compromised and serve all that over an HTTPS connection that
passes whatever validity and authenticity checks one might want to
throw at it.
Even if you read the diff, it might not help, because an important fix
for a vulnerability might be missing. So there is no 100% security.
However using HTTPS URLs with sane software should allow to trust that
the TLS connection was properly verified. With the change you risk also
persons who are e.g. upstream and Fedora maintainers using HTTPS URLs to
fetch their published tarball. There is no need for them to use other
out-of-band validation techniques to verify that the tarball they
downloaded is the same they uploaded unless they have reasonable doubt
about their system.
However, if you do not want to use HTTPS to verify the transfered
contents then just use plain HTTP. Using HTTPS but not verifying the
server's certificate makes things only worse as long as no secret
contents are transmitted.