Source file audit - 2013-11-17
Björn Persson
bjorn at xn--rombobjrn-67a.se
Fri Nov 22 00:51:27 UTC 2013
Ville Skyttä wrote:
>Standard procedures for
>checking the authenticity of sources should include GPG/signature
>checking (if available), checksum checking (if available, hopefully
>signed), and cross checking with other consumers (e.g. other distros,
>if available).
But not using HTTPS, even if it's the only method available?
>> If an upstream project doesn't PGP-sign the tarballs but does make
>> them available over HTTPS, then the TLS connection is the only thing
>> that ensures that the tarball you receive is the one that the
>> developers published.
>
>No, it doesn't, at all. For example the server may have had all its
>content compromised and serve all that over an HTTPS connection that
>passes whatever validity and authenticity checks one might want to
>throw at it.
And how does sabotaging HTTPS improve the situation?
Are you hoping that the attacker won't bother compromising the server
because a man-in-the-middle attack on the unauthenticated connection
will be easier?
--
Björn Persson
Sent from my computer.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20131122/5d6e3629/attachment.sig>
More information about the devel
mailing list