GNU bug report logs - #27437
Source downloader accepts X.509 certificate for incorrect domain

Previous Next

Package: guix;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Wed, 21 Jun 2017 06:19:01 UTC

Severity: normal

Done: Ricardo Wurmus <rekado <at> elephly.net>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: ng0 <ng0 <at> infotropique.org>
To: Leo Famulari <leo <at> famulari.name>
Cc: Mark H Weaver <mhw <at> netris.org>, 27437 <at> debbugs.gnu.org
Subject: bug#27437: Source downloader accepts X.509 certificate for incorrect domain
Date: Thu, 22 Jun 2017 21:30:36 +0000

[Message part 1 (text/plain, inline)]
Leo Famulari transcribed 2.4K bytes:
> On Thu, Jun 22, 2017 at 11:33:31AM -0400, Mark H Weaver wrote:
> > ludo <at> gnu.org (Ludovic Courtès) writes:
> > > IOW, since we’re checking the integrity of the tarball anyway, and we
> > > assume developers checked its authenticity when writing the recipe, then
> > > who cares whether downloads.xiph.org has a valid certificate?
> > >
> > > Conversely, ‘guix download’ always checks certificates by default.
> > >
> > > Does it make sense?
> > 
> > Yes, and I agree with this behavior.  However, it should be noted that
> > this will reduce the security of a bad practice that I suspect is
> > sometimes used by people when updating packages, namely to update the
> > version number, try building it, and then copy the hash from the error
> > message to the package.
> 
> Yeah, that's a bad habit and I warn people against it whenever it comes
> up :/
> 
> > FWIW, I always check digital signatures when they're available, and I
> > hope that others will as well, but in practice we are putting our faith
> > in a large number of contributors, some of whom might not be so careful.
> > 
> > Also, sadly, many packages are distributed without digital signatures at
> > all.  One glaring example is NSS.
> 
> Do we have any contacts at Mozilla we can talk to about this? I imagine
> it's a long shot, with many bureaucratic hurdles, but it's worth asking
> for.

One way is their bugtracker. Does anyone of us have an Account at their
bugzilla?

If it can't be discussed via bugzilla, there must be some mailinglist
for the nss development.
-- 
ng0
OpenPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
https://krosos.org/~/ng0/ https://www.infotropique.org

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 7 years and 304 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.