Follow-up Comment #2, sr #109567 (project administration): > everyone is free to setup a mirror, and we add them to our list on their request.
Ouch, this is bad. Someone who wants to become MITM for some packages just has to setup a mirror, notify GNU, and add trojan horses to the sources and binaries they offer. > I think the only real protection is signatures. Signatures done right would work, yes. But not in the current form: 1) It picks some mirror (in my tests, even the SAME mirror) for a file and its signature file. (I tried https://download.savannah.nongnu.org/releases/acl/acl-2.2.53.tar.gz and https://download.savannah.nongnu.org/releases/acl/acl-2.2.53.tar.gz.sig.) To enforce security, it would make sense to fetch the .sig file from the main site and only the non-signature files from the mirror. 2) It requires that users check the signatures. Distros are doing this, but end users often are not - because there is no easy "download + check signature" script available. Some work may be in progress on creating such a script, I don't know. 3) The signatures rely on PGP/GPG, and we all know that there are fake identities floating around in the PGP/GPG servers that are only apparent when checking more than the usual 8 digits of a key id. _______________________________________________________ Reply to this item at: <https://savannah.gnu.org/support/?109567> _______________________________________________ Message sent via Savannah https://savannah.gnu.org/
