GNU bug report logs -
#27437
Source downloader accepts X.509 certificate for incorrect domain
Previous Next
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Wed, 21 Jun 2017 06:19:01 UTC
Severity: normal
Done: Ricardo Wurmus <rekado <at> elephly.net>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
Ricardo Wurmus <rekado <at> elephly.net> writes:
> Mark H Weaver <mhw <at> netris.org> writes:
>
>> FWIW, I always check digital signatures when they're available, and I
>> hope that others will as well, but in practice we are putting our faith
>> in a large number of contributors, some of whom might not be so careful.
>
> I do the same when signatures are available. I couldn’t find this
> recommendation in “contributing.texi” — should we add it there?
I think so. Many contributors won't have used GnuPG before downloading
Guix and may not remember how/why when it's time to package something.
There are a fair amount of PyPi packages that are signed, I've been
meaning to make the updater aware of it. See scipy, numpy and friends.
Wouldn't mind if someone beats me to it!
As far as NSS goes, releases are announced at their "dev-tech-crypto"
mailing list[0], but the announcements are not signed either (nor do
they contain hashes). The only authenticity they provide is the TLS
connection to ftp.mozilla.org[1].
Anyone up for drafting an email to the list?
[0] https://lists.mozilla.org/listinfo/dev-tech-crypto
[1] SHA256 fingerprint (valid until 2020):
3B:9F:F6:DC:11:F8:96:B1:62:60:3D:29:36:0B:E6:4E:69:F8:34:E9:B3:7A:05:7A:5B:84:CD:54:E5:8E:7C:8B
[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 7 years and 304 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.