GNU bug report logs - #27437
Source downloader accepts X.509 certificate for incorrect domain

Previous Next

Full log

Message #50 received at 27437 <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: Ricardo Wurmus <rekado <at> elephly.net>
Cc: Mark H Weaver <mhw <at> netris.org>, 27437 <at> debbugs.gnu.org,
 Leo Famulari <leo <at> famulari.name>
Subject: Re: bug#27437: Source downloader accepts X.509 certificate for
 incorrect domain
Date: Thu, 27 Jul 2017 14:29:29 +0200

Ricardo Wurmus <rekado <at> elephly.net> skribis:

>>From 44b8f1c04713d11601d964ecfbe2fc248a15e7c0 Mon Sep 17 00:00:00 2001
> From: Ricardo Wurmus <rekado <at> elephly.net>
> Date: Fri, 23 Jun 2017 09:24:58 +0200
> Subject: [PATCH] doc: Encourage signature verification.
>
> * doc/contributing.texi (Submitting Patches): Remind contributors to verify
> cryptographic signatures.
> ---
>  doc/contributing.texi | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/doc/contributing.texi b/doc/contributing.texi
> index 925c584e4..0073f2451 100644
> --- a/doc/contributing.texi
> +++ b/doc/contributing.texi
> @@ -334,6 +334,12 @@ updates for a given software package in a single place and have them
>  affect the whole system---something that bundled copies prevent.
>  
>  @item
> +If the authors of the packaged software provide a cryptographic
> +signature for the release tarball, make an effort to verify the
> +authenticity of the archive.  For a detached GPG signature file this
> +would be done with the @code{gpg --verify} command.

I would make it the very first item of the check list.

If that’s fine with you, please push and maybe close the bug!

Ludo’.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.