GNU bug report logs - #27437
Source downloader accepts X.509 certificate for incorrect domain

Previous Next

Package: guix;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Wed, 21 Jun 2017 06:19:01 UTC

Severity: normal

Done: Ricardo Wurmus <rekado <at> elephly.net>

Bug is archived. No further changes may be made.

Full log

Message #44 received at 27437 <at> debbugs.gnu.org (full text, mbox):

From: Ricardo Wurmus <rekado <at> elephly.net>
To: Leo Famulari <leo <at> famulari.name>
Cc: Mark H Weaver <mhw <at> netris.org>, 27437 <at> debbugs.gnu.org
Subject: Re: bug#27437: Source downloader accepts X.509 certificate for
 incorrect domain
Date: Fri, 23 Jun 2017 09:29:46 +0200

[Message part 1 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes:

> On Thu, Jun 22, 2017 at 11:45:26PM +0200, Ricardo Wurmus wrote:
>> 
>> Mark H Weaver <mhw <at> netris.org> writes:
>> 
>> > FWIW, I always check digital signatures when they're available, and I
>> > hope that others will as well, but in practice we are putting our faith
>> > in a large number of contributors, some of whom might not be so careful.
>> 
>> I do the same when signatures are available.  I couldn’t find this
>> recommendation in “contributing.texi” — should we add it there?
>
> To me, it seems that the manual section Packaging Guidelines is a better
> fit.
>
> But, we tend to recommend people read Contributing, but rarely do I see
> Packaging Guidelines recommended. I suppose it's assumed they will find
> it themselves.

“Packaging Guidelines” refers to “Contributing”.  I tried to add this to
“Packaging Guidelines” but couldn’t find an appropriate place, so here’s
a patch that adds an item to the checklist in “Contributing”.

WDYT?


[0001-doc-Encourage-signature-verification.patch (text/x-patch, inline)]
From 44b8f1c04713d11601d964ecfbe2fc248a15e7c0 Mon Sep 17 00:00:00 2001
From: Ricardo Wurmus <rekado <at> elephly.net>
Date: Fri, 23 Jun 2017 09:24:58 +0200
Subject: [PATCH] doc: Encourage signature verification.

* doc/contributing.texi (Submitting Patches): Remind contributors to verify
cryptographic signatures.
---
 doc/contributing.texi | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/doc/contributing.texi b/doc/contributing.texi
index 925c584e4..0073f2451 100644
--- a/doc/contributing.texi
+++ b/doc/contributing.texi
@@ -334,6 +334,12 @@ updates for a given software package in a single place and have them
 affect the whole system---something that bundled copies prevent.
 
 @item
+If the authors of the packaged software provide a cryptographic
+signature for the release tarball, make an effort to verify the
+authenticity of the archive.  For a detached GPG signature file this
+would be done with the @code{gpg --verify} command.
+
+@item
 Take a look at the profile reported by @command{guix size}
 (@pxref{Invoking guix size}).  This will allow you to notice references
 to other packages unwillingly retained.  It may also help determine
-- 
2.12.2


[Message part 3 (text/plain, inline)]
-- 
Ricardo

GPG: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC
https://elephly.net
This bug report was last modified 7 years and 304 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.