ANNOUNCE: xfce4-terminal 0.8.2 released
NicoHood
archlinux at nicohood.de
Sun Jan 1 19:55:38 CET 2017
On 01/01/2017 07:49 PM, Andrzej wrote:
>
>> I am sorry but those are message digest and no signatures. And since
>> they are downloaded via http they proof nothing. It is a high risk for
>> our users that we need to download the xfce sources over an insecure
>> channel and cannot verify their authenticity.
>>
>> Please fix this serious security issue.
>
> At the moment the only other option is to pull a tagged revision
> directly from git.xfce.org and generate your own tarball by running
> "autogen.sh <options>; make distcheck" yourself.
That will only help us a bit and only if the git download is via https
and the git commits/tag is signed via GPG.
>
> Cryptographic checksums are an adequate solution (they are generated and
> uploaded by the maintainer of each component), provided that their
> authenticity can be verified. We do not plan changing our release system.
>
GPG signatures are of high importance and must be generated by the
maintainer. It could also be automated via a build server, but the key
needs to be kept secure. If the maintainer could do it for every release
(which is not that much work), it would be best.
Some help with an automated script (WIP) can be found here:
https://github.com/NicoHood/gpgithub
> I do agree with you that http is a bad channel for distributing tarballs
> and checksums. I will check if we can use https for it like we do for
> most other subdomains.
Thanks. I think the certificate only needs some more entries about the
subdomain. You will know best.
Thanks for making our all loved xfce DE more secure for the users. :)
~Nico
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://mail.xfce.org/pipermail/xfce/attachments/20170101/79bf5eeb/attachment.sig>
More information about the Xfce
mailing list