GNU bug report logs - #27437
Source downloader accepts X.509 certificate for incorrect domain

Previous Next

Package: guix;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Wed, 21 Jun 2017 06:19:01 UTC

Severity: normal

Done: Ricardo Wurmus <rekado <at> elephly.net>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: ludo <at> gnu.org (Ludovic Courtès)
To: Mike Gerwitz <mtg <at> gnu.org>
Cc: 27437 <at> debbugs.gnu.org, Leo Famulari <leo <at> famulari.name>
Subject: bug#27437: Source downloader accepts X.509 certificate for incorrect domain
Date: Fri, 23 Jun 2017 11:31:40 +0200

Mike Gerwitz <mtg <at> gnu.org> skribis:

> On Thu, Jun 22, 2017 at 21:12:27 +0200, Ludovic Courtès wrote:
>> I think only GNU and kernel.org provide signatures, which represents 6%
>> of our packages.  Of the 30% that do not have an updater, surely some
>> have digital signatures, but we’re probably still below 10%.  The
>> situation is bad in general…
>
> What about signed tags/commits?

They’re becoming more widespread, especially now that GitHub’s UI can
make sense of them.  Nevertheless, I don’t think it changes the ratio
much if we look at the whole package set that we have.

Ludo’.
This bug report was last modified 7 years and 304 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.