GNU bug report logs - #27437
Source downloader accepts X.509 certificate for incorrect domain

Previous Next

Package: guix;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Wed, 21 Jun 2017 06:19:01 UTC

Severity: normal

Done: Ricardo Wurmus <rekado <at> elephly.net>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Mike Gerwitz <mtg <at> gnu.org>
To: ludo <at> gnu.org (Ludovic Courtès)
Cc: 27437 <at> debbugs.gnu.org, Leo Famulari <leo <at> famulari.name>
Subject: bug#27437: Source downloader accepts X.509 certificate for incorrect domain
Date: Thu, 22 Jun 2017 20:45:42 -0400

[Message part 1 (text/plain, inline)]
On Thu, Jun 22, 2017 at 21:12:27 +0200, Ludovic Courtès wrote:
> I think only GNU and kernel.org provide signatures, which represents 6%
> of our packages.  Of the 30% that do not have an updater, surely some
> have digital signatures, but we’re probably still below 10%.  The
> situation is bad in general…

What about signed tags/commits?

-- 
Mike Gerwitz
Free Software Hacker+Activist | GNU Maintainer & Volunteer
GPG: D6E9 B930 028A 6C38 F43B  2388 FEF6 3574 5E6F 6D05
https://mikegerwitz.com

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 7 years and 304 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.