I suppose you are correct, but would you have rather I didn't mention it?
I would love to, however I do not have the scripting skills required to ensure proper verification and unfortunately there are multiple dependencies that don't publish gpg signatures.
It isn't an easy task if we want close to 100% assurance.
https://blog.invisiblethings.org/2016/05/30/build-security.html
Simply changing the build process to https is an improvement over what we have now but I do would rather not do a half baked solution that depends on on the goodwill of every CA.
GMP_ARCHIVE="https://mirrors.kernel.org/gnu/gmp/gmp-$%7BGMP_VERSION%7D.tar.xz" MPFR_ARCHIVE="https://mirrors.kernel.org/gnu/mpfr/mpfr-$%7BMPFR_VERSION%7D.tar.xz" MPC_ARCHIVE="https://mirrors.kernel.org/gnu/mpc/mpc-$%7BMPC_VERSION%7D.tar.gz" LIBELF_ARCHIVE="https://fossies.org/linux/misc/libelf-$%7BLIBELF_VERSION%7D.tar.gz" GCC_ARCHIVE="https://mirrors.kernel.org/gnu/gcc/gcc-$%7BGCC_VERSION%7D/gcc-$%7BGCC_VERSIO..." BINUTILS_ARCHIVE="https://mirrors.kernel.org/gnu/binutils/binutils-$%7BBINUTILS_VERSION%7D.tar..." GDB_ARCHIVE="https://mirrors.kernel.org/gnu/gdb/gdb-$%7BGDB_VERSION%7D.tar.xz" IASL_ARCHIVE="https://acpica.org/sites/acpica/files/acpica-unix2-$%7BIASL_VERSION%7D.tar.g..." PYTHON_ARCHIVE="https://www.python.org/ftp/python/$%7BPYTHON_VERSION%7D/Python-$%7BPYTHON_VE..." EXPAT_ARCHIVE="https://downloads.sourceforge.net/sourceforge/expat/expat-$%7BEXPAT_VERSION%..." MAKE_ARCHIVE="https://mirrors.kernel.org/gnu/make/make-$%7BMAKE_VERSION%7D.tar.bz2"
On 11/06/2016 05:02 PM, Nico Huber wrote:
On 06.11.2016 22:44, Taiidan@gmx.com wrote:
It is 2016 not 2001 and MITM's are a regular thing so this is a serious issue.
Yes, YOU haven't fixed that yet.