Source file audit - 2013-11-17

Björn Persson bjorn at
Fri Nov 22 00:51:27 UTC 2013

Ville Skyttä wrote:
>Standard procedures for
>checking the authenticity of sources should include GPG/signature
>checking (if available), checksum checking (if available, hopefully
>signed), and cross checking with other consumers (e.g. other distros,
>if available).

But not using HTTPS, even if it's the only method available?

>> If an upstream project doesn't PGP-sign the tarballs but does make
>> them available over HTTPS, then the TLS connection is the only thing
>> that ensures that the tarball you receive is the one that the
>> developers published.
>No, it doesn't, at all. For example the server may have had all its
>content compromised and serve all that over an HTTPS connection that
>passes whatever validity and authenticity checks one might want to
>throw at it.

And how does sabotaging HTTPS improve the situation?

Are you hoping that the attacker won't bother compromising the server
because a man-in-the-middle attack on the unauthenticated connection
will be easier?

Björn Persson

Sent from my computer.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <>

More information about the devel mailing list