Re: [arch-dev-public] todo list for moving http -> https sources

[2016-10-31 15:19:40 +0100] NicoHood: > I'd also vote for https. It does not hurt to use a secure channel to > download the sources from. It would be great if we as ArchLinux team > could make the first step into that direction. > > Using PGP signatures is another discussion, also the hash

Re: [arch-dev-public] todo list for moving http -> https sources

[2016-10-31 10:05:26 -0400] Dave Reisner: > On Sun, Oct 30, 2016 at 04:43:04PM -1000, Gaetan Bisson wrote: > > I agree with Sébastien. We should encourage upstream to digitally sign > > their releases, and verify their authenticity in our PKGBUILDs. > > > > Downloading releases over HTTPS gives a

Re: [arch-dev-public] todo list for moving http -> https sources

On Mon, Oct 31, 2016 at 03:33:42PM -0400, Dave Reisner wrote: > On Mon, Oct 31, 2016 at 08:14:32PM +0100, Thomas Bächler wrote: > > Am 31.10.2016 um 15:05 schrieb Dave Reisner: > > > Asking every upstream to provide a PGP signature isn't a process which > > > will scale, > > > > I am against

Re: [arch-dev-public] todo list for moving http -> https sources

On Mon, Oct 31, 2016 at 08:14:32PM +0100, Thomas Bächler wrote: > Am 31.10.2016 um 15:05 schrieb Dave Reisner: > > Asking every upstream to provide a PGP signature isn't a process which > > will scale, > > I am against enforcing https for projects which provide signatures. As > Sebastien pointed

Re: [arch-dev-public] todo list for moving http -> https sources

Am 31.10.2016 um 15:05 schrieb Dave Reisner: > Asking every upstream to provide a PGP signature isn't a process which > will scale, I am against enforcing https for projects which provide signatures. As Sebastien pointed out, there are valid reasons against using https and it adds no benefit when

Re: [arch-dev-public] todo list for moving http -> https sources

I'd also vote for https. It does not hurt to use a secure channel to download the sources from. It would be great if we as ArchLinux team could make the first step into that direction. However if you write such a script, it should also check if an https download is available, as not all websites

Re: [arch-dev-public] todo list for moving http -> https sources

On Sun, Oct 30, 2016 at 04:43:04PM -1000, Gaetan Bisson wrote: > [2016-10-31 03:23:48 +0100] Sébastien Luttringer: > > On Sun, 2016-10-30 at 20:55 -0400, Dave Reisner wrote: > > > There's been a sizeable number of bugs filed over the past month or so > > > about changin PKGBUILDs to acquire

[arch-dev-public] Signoff report for [testing]

=== Signoff report for [testing] === https://www.archlinux.org/packages/signoffs/ There are currently: * 2 new packages in last 24 hours * 0 known bad packages * 0 packages not accepting signoffs * 6 fully signed off packages * 47 packages missing signoffs * 2 packages older than 14 days (Note: