On 11/29/2016 12:08 PM, Levente Polyak wrote:
> On 11/29/2016 11:33 AM, Baptiste Jonglez wrote:
>> For a package in [community], an expired certificate for the upstream
>> tarball is not a big deal, since it does not directly affect the Arch user
>> installing the package.  As a packager, you can just get the tarball by
>> some other means, or wait a few days so that somebody renews the cert.
>>
>> But for the AUR, an expired certificate would be annoying, as any user
>> trying to build the package (e.g. using an AUR helper) would encounter an
>> error.
>>
> 
> I call bullshit, especially as your cases are purely about github!
> Surly, as if they can't wait "a few days" in such an unlikely scenario.
> And what if upstream forgets to pay for their servers, it won't be
> available too.
> How often do you think that certificates stay in an expired state. Of
> cause there may be one or two cases that could be named, its still
> certainly nothing to build upon.
> 


About all this https discussion:
I think we should all confirm with the gpg and https standards we made
recently (and the string hashes that i suggested) and we should also try
to increase the quality of AUR in general and especially as TU to advise
other people to do so too. Packaging a secure chat program and being so
lazy about https makes me wonder.

Also you do not need to move the packages as fast as possible into
community. I became TU month ago and arduino is still not in community
because some issues needed to be solved first. So quality and security
is more important here.

I think it'd be good for you to rethink the https (and gpg, hash) topic,
because (especially) as secure chat messenger packager it'd be extremely
important to me that you try to achieve the best security as possible.

~Nico

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to