I suppose you are correct, but would you have rather I didn't mention it?
I would love to, however I do not have the scripting skills required to ensure proper verification and unfortunately there are multiple dependencies that don't publish gpg signatures.
It isn't an easy task if we want close to 100% assurance.
https://blog.invisiblethings.org/2016/05/30/build-security.html
Simply changing the build process to https is an improvement over what we have now but I do would rather not do a half baked solution that depends on on the goodwill of every CA.
GMP_ARCHIVE="https://mirrors.kernel.org/gnu/gmp/gmp-$%7BGMP_VERSION%7D.tar.xz" MPFR_ARCHIVE="https://mirrors.kernel.org/gnu/mpfr/mpfr-$%7BMPFR_VERSION%7D.tar.xz" MPC_ARCHIVE="https://mirrors.kernel.org/gnu/mpc/mpc-$%7BMPC_VERSION%7D.tar.gz" LIBELF_ARCHIVE="https://fossies.org/linux/misc/libelf-$%7BLIBELF_VERSION%7D.tar.gz" GCC_ARCHIVE="https://mirrors.kernel.org/gnu/gcc/gcc-$%7BGCC_VERSION%7D/gcc-$%7BGCC_VERSIO..." BINUTILS_ARCHIVE="https://mirrors.kernel.org/gnu/binutils/binutils-$%7BBINUTILS_VERSION%7D.tar..." GDB_ARCHIVE="https://mirrors.kernel.org/gnu/gdb/gdb-$%7BGDB_VERSION%7D.tar.xz" IASL_ARCHIVE="https://acpica.org/sites/acpica/files/acpica-unix2-$%7BIASL_VERSION%7D.tar.g..." PYTHON_ARCHIVE="https://www.python.org/ftp/python/$%7BPYTHON_VERSION%7D/Python-$%7BPYTHON_VE..." EXPAT_ARCHIVE="https://downloads.sourceforge.net/sourceforge/expat/expat-$%7BEXPAT_VERSION%..." MAKE_ARCHIVE="https://mirrors.kernel.org/gnu/make/make-$%7BMAKE_VERSION%7D.tar.bz2"
On 11/06/2016 05:02 PM, Nico Huber wrote:
On 06.11.2016 22:44, Taiidan@gmx.com wrote:
It is 2016 not 2001 and MITM's are a regular thing so this is a serious issue.
Yes, YOU haven't fixed that yet.
On 06.11.2016 23:30, Taiidan@gmx.com wrote:
I suppose you are correct, but would you have rather I didn't mention it?
No, but you could have chosen kindlier words.
I would love to, however I do not have the scripting skills required to ensure proper verification and unfortunately there are multiple dependencies that don't publish gpg signatures.
It isn't an easy task if we want close to 100% assurance.
If you want that, best option would be to pay an expert.
https://blog.invisiblethings.org/2016/05/30/build-security.html
Simply changing the build process to https is an improvement over what we have now but I do would rather not do a half baked solution that depends on on the goodwill of every CA.
I agree. I haven't seen any hierarchical PKI I'd trust so far.
Nico
GMP_ARCHIVE="https://mirrors.kernel.org/gnu/gmp/gmp-$%7BGMP_VERSION%7D.tar.xz" MPFR_ARCHIVE="https://mirrors.kernel.org/gnu/mpfr/mpfr-$%7BMPFR_VERSION%7D.tar.xz"
MPC_ARCHIVE="https://mirrors.kernel.org/gnu/mpc/mpc-$%7BMPC_VERSION%7D.tar.gz" LIBELF_ARCHIVE="https://fossies.org/linux/misc/libelf-$%7BLIBELF_VERSION%7D.tar.gz"
GCC_ARCHIVE="https://mirrors.kernel.org/gnu/gcc/gcc-$%7BGCC_VERSION%7D/gcc-$%7BGCC_VERSIO..."
BINUTILS_ARCHIVE="https://mirrors.kernel.org/gnu/binutils/binutils-$%7BBINUTILS_VERSION%7D.tar..."
GDB_ARCHIVE="https://mirrors.kernel.org/gnu/gdb/gdb-$%7BGDB_VERSION%7D.tar.xz" IASL_ARCHIVE="https://acpica.org/sites/acpica/files/acpica-unix2-$%7BIASL_VERSION%7D.tar.g..."
PYTHON_ARCHIVE="https://www.python.org/ftp/python/$%7BPYTHON_VERSION%7D/Python-$%7BPYTHON_VE..."
EXPAT_ARCHIVE="https://downloads.sourceforge.net/sourceforge/expat/expat-$%7BEXPAT_VERSION%..."
MAKE_ARCHIVE="https://mirrors.kernel.org/gnu/make/make-$%7BMAKE_VERSION%7D.tar.bz2"
On 11/06/2016 05:02 PM, Nico Huber wrote:
On 06.11.2016 22:44, Taiidan@gmx.com wrote:
It is 2016 not 2001 and MITM's are a regular thing so this is a serious issue.
Yes, YOU haven't fixed that yet.