GNU bug report logs -
#27437
Source downloader accepts X.509 certificate for incorrect domain
Previous Next
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Wed, 21 Jun 2017 06:19:01 UTC
Severity: normal
Done: Ricardo Wurmus <rekado <at> elephly.net>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
Ricardo Wurmus <rekado <at> elephly.net> skribis:
>>From 44b8f1c04713d11601d964ecfbe2fc248a15e7c0 Mon Sep 17 00:00:00 2001
> From: Ricardo Wurmus <rekado <at> elephly.net>
> Date: Fri, 23 Jun 2017 09:24:58 +0200
> Subject: [PATCH] doc: Encourage signature verification.
>
> * doc/contributing.texi (Submitting Patches): Remind contributors to verify
> cryptographic signatures.
> ---
> doc/contributing.texi | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/doc/contributing.texi b/doc/contributing.texi
> index 925c584e4..0073f2451 100644
> --- a/doc/contributing.texi
> +++ b/doc/contributing.texi
> @@ -334,6 +334,12 @@ updates for a given software package in a single place and have them
> affect the whole system---something that bundled copies prevent.
>
> @item
> +If the authors of the packaged software provide a cryptographic
> +signature for the release tarball, make an effort to verify the
> +authenticity of the archive. For a detached GPG signature file this
> +would be done with the @code{gpg --verify} command.
I would make it the very first item of the check list.
If that’s fine with you, please push and maybe close the bug!
Ludo’.
This bug report was last modified 7 years and 304 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.