[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#27437: Source downloader accepts X.509 certificate for incorrect dom
From: |
Mark H Weaver |
Subject: |
bug#27437: Source downloader accepts X.509 certificate for incorrect domain |
Date: |
Thu, 22 Jun 2017 11:33:31 -0400 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) |
address@hidden (Ludovic Courtès) writes:
> The behavior of the source download is on purpose as noted in (guix
> download):
>
> ;; No need to validate certificates since we know the
> ;; hash of the expected result.
> #:verify-certificate? #f)))))
>
> IOW, since we’re checking the integrity of the tarball anyway, and we
> assume developers checked its authenticity when writing the recipe, then
> who cares whether downloads.xiph.org has a valid certificate?
>
> Conversely, ‘guix download’ always checks certificates by default.
>
> Does it make sense?
Yes, and I agree with this behavior. However, it should be noted that
this will reduce the security of a bad practice that I suspect is
sometimes used by people when updating packages, namely to update the
version number, try building it, and then copy the hash from the error
message to the package.
FWIW, I always check digital signatures when they're available, and I
hope that others will as well, but in practice we are putting our faith
in a large number of contributors, some of whom might not be so careful.
Also, sadly, many packages are distributed without digital signatures at
all. One glaring example is NSS.
Mark
- bug#27437: Source downloader accepts X.509 certificate for incorrect domain, Leo Famulari, 2017/06/21
- bug#27437: Source downloader accepts X.509 certificate for incorrect domain, ng0, 2017/06/22
- bug#27437: Source downloader accepts X.509 certificate for incorrect domain, Ricardo Wurmus, 2017/06/22
- bug#27437: Source downloader accepts X.509 certificate for incorrect domain, Marius Bakke, 2017/06/22
- bug#27437: Source downloader accepts X.509 certificate for incorrect domain, Leo Famulari, 2017/06/22
- bug#27437: Source downloader accepts X.509 certificate for incorrect domain, Ricardo Wurmus, 2017/06/23