Leo Famulari <[email protected]> skribis: > On Thu, Jun 22, 2017 at 11:33:31AM -0400, Mark H Weaver wrote: >> [email protected] (Ludovic Courtès) writes: >> > IOW, since we’re checking the integrity of the tarball anyway, and we >> > assume developers checked its authenticity when writing the recipe, then >> > who cares whether downloads.xiph.org has a valid certificate? >> > >> > Conversely, ‘guix download’ always checks certificates by default. >> > >> > Does it make sense? >> >> Yes, and I agree with this behavior. However, it should be noted that >> this will reduce the security of a bad practice that I suspect is >> sometimes used by people when updating packages, namely to update the >> version number, try building it, and then copy the hash from the error >> message to the package. > > Yeah, that's a bad habit and I warn people against it whenever it comes > up :/
Agreed. That said, if we look at our updaters: --8<---------------cut here---------------start------------->8--- $ guix refresh --list-updaters Available updaters: - cpan: Updater for CPAN packages (9.2% coverage) - cran: Updater for CRAN packages (4.0% coverage) - bioconductor: Updater for Bioconductor packages (1.2% coverage) - crates: Updater for crates.io packages (.0% coverage) - elpa: Updater for ELPA packages (.3% coverage) - gem: Updater for RubyGem packages (2.5% coverage) - github: Updater for GitHub packages (10.5% coverage) - hackage: Updater for Hackage packages (5.2% coverage) - pypi: Updater for PyPI packages (17.6% coverage) - stackage: Updater for Stackage LTS packages (5.2% coverage) - kernel.org: Updater for packages hosted on kernel.org (.5% coverage) - gnome: Updater for GNOME packages (2.9% coverage) - xorg: Updater for X.org packages (3.2% coverage) - gnu: Updater for GNU packages (5.6% coverage) - kde: Updater for KDE packages (1.3% coverage) 69.0% of the packages are covered by these updaters. --8<---------------cut here---------------end--------------->8--- I think only GNU and kernel.org provide signatures, which represents 6% of our packages. Of the 30% that do not have an updater, surely some have digital signatures, but we’re probably still below 10%. The situation is bad in general… Ludo’.
