Re: [arch-dev-public] todo list for moving http -> https sources

On 2016-10-31 14:19, NicoHood wrote: > I'd also vote for https. It does not hurt to use a secure channel to > download the sources from. It would be great if we as ArchLinux team > could make the first step into that direction. > > However if you write such a script, it should also check if an

Re: [arch-dev-public] todo list for moving http -> https sources

[2016-11-01 09:55:11 -0400] Dave Reisner: > On Mon, Oct 31, 2016 at 04:09:40PM -1000, Gaetan Bisson wrote: > > [2016-10-31 10:05:26 -0400] Dave Reisner: > > > On Sun, Oct 30, 2016 at 04:43:04PM -1000, Gaetan Bisson wrote: > > > > I agree with Sébastien. We should encourage upstream to digitally

Re: [arch-dev-public] todo list for moving http -> https sources

On 01/11, Sébastien Luttringer wrote: On Sun, 2016-10-30 at 22:47 -0400, Dave Reisner wrote: On Mon, Oct 31, 2016 at 03:23:48AM +0100, Sébastien Luttringer wrote: > On Sun, 2016-10-30 at 20:55 -0400, Dave Reisner wrote: > As I use a transparent http cache at home (2Mb/s bandwidth), so far I

Re: [arch-dev-public] todo list for moving http -> https sources

On Sun, 2016-10-30 at 22:47 -0400, Dave Reisner wrote: > On Mon, Oct 31, 2016 at 03:23:48AM +0100, Sébastien Luttringer wrote: > > On Sun, 2016-10-30 at 20:55 -0400, Dave Reisner wrote: > > As I use a transparent http cache at home (2Mb/s bandwidth), so far I only > > added the signature, and not

Re: [arch-dev-public] todo list for moving http -> https sources

On Mon, Oct 31, 2016 at 04:09:40PM -1000, Gaetan Bisson wrote: > [2016-10-31 10:05:26 -0400] Dave Reisner: > > On Sun, Oct 30, 2016 at 04:43:04PM -1000, Gaetan Bisson wrote: > > > I agree with Sébastien. We should encourage upstream to digitally sign > > > their releases, and verify their

Re: [arch-dev-public] todo list for moving http -> https sources

[2016-10-31 15:19:40 +0100] NicoHood: > I'd also vote for https. It does not hurt to use a secure channel to > download the sources from. It would be great if we as ArchLinux team > could make the first step into that direction. > > Using PGP signatures is another discussion, also the hash

Re: [arch-dev-public] todo list for moving http -> https sources

[2016-10-31 10:05:26 -0400] Dave Reisner: > On Sun, Oct 30, 2016 at 04:43:04PM -1000, Gaetan Bisson wrote: > > I agree with Sébastien. We should encourage upstream to digitally sign > > their releases, and verify their authenticity in our PKGBUILDs. > > > > Downloading releases over HTTPS gives a

Re: [arch-dev-public] todo list for moving http -> https sources

On Mon, Oct 31, 2016 at 03:33:42PM -0400, Dave Reisner wrote: > On Mon, Oct 31, 2016 at 08:14:32PM +0100, Thomas Bächler wrote: > > Am 31.10.2016 um 15:05 schrieb Dave Reisner: > > > Asking every upstream to provide a PGP signature isn't a process which > > > will scale, > > > > I am against

Re: [arch-dev-public] todo list for moving http -> https sources

On Mon, Oct 31, 2016 at 08:14:32PM +0100, Thomas Bächler wrote: > Am 31.10.2016 um 15:05 schrieb Dave Reisner: > > Asking every upstream to provide a PGP signature isn't a process which > > will scale, > > I am against enforcing https for projects which provide signatures. As > Sebastien pointed

Re: [arch-dev-public] todo list for moving http -> https sources

Am 31.10.2016 um 15:05 schrieb Dave Reisner: > Asking every upstream to provide a PGP signature isn't a process which > will scale, I am against enforcing https for projects which provide signatures. As Sebastien pointed out, there are valid reasons against using https and it adds no benefit when

Re: [arch-dev-public] todo list for moving http -> https sources

I'd also vote for https. It does not hurt to use a secure channel to download the sources from. It would be great if we as ArchLinux team could make the first step into that direction. However if you write such a script, it should also check if an https download is available, as not all websites

Re: [arch-dev-public] todo list for moving http -> https sources

On Sun, Oct 30, 2016 at 04:43:04PM -1000, Gaetan Bisson wrote: > [2016-10-31 03:23:48 +0100] Sébastien Luttringer: > > On Sun, 2016-10-30 at 20:55 -0400, Dave Reisner wrote: > > > There's been a sizeable number of bugs filed over the past month or so > > > about changin PKGBUILDs to acquire

Re: [arch-dev-public] todo list for moving http -> https sources

On Mon, Oct 31, 2016 at 03:23:48AM +0100, Sébastien Luttringer wrote: > On Sun, 2016-10-30 at 20:55 -0400, Dave Reisner wrote: > > Hi all, > > > > There's been a sizeable number of bugs filed over the past month or so > > about changin PKGBUILDs to acquire sources from https rather than http. > >

Re: [arch-dev-public] todo list for moving http -> https sources

[2016-10-31 03:23:48 +0100] Sébastien Luttringer: > On Sun, 2016-10-30 at 20:55 -0400, Dave Reisner wrote: > > There's been a sizeable number of bugs filed over the past month or so > > about changin PKGBUILDs to acquire sources from https rather than http. > > Rather than continue to flood the

Re: [arch-dev-public] todo list for moving http -> https sources

On Sun, 2016-10-30 at 20:55 -0400, Dave Reisner wrote: > Hi all, > > There's been a sizeable number of bugs filed over the past month or so > about changin PKGBUILDs to acquire sources from https rather than http. > Rather than continue to flood the bug tracker, would anyone mind if I > wrote a

[arch-dev-public] todo list for moving http -> https sources

Hi all, There's been a sizeable number of bugs filed over the past month or so about changin PKGBUILDs to acquire sources from https rather than http. Rather than continue to flood the bug tracker, would anyone mind if I wrote a script to find instances of this and start a TODO list? This would,