Arch Linux

I understand your desire to push for more security in Arch, but please do not request we switch to a random source mirror just because it supports HTTPS. If the upstream source depot only provides HTTP, then that is where the weak link is: even your "secure" mirror likely syncs from upstream using HTTP. At any rate, as I wrote in a private email, the correct way to authenticate source tarballs is not to use HTTPS or sha512sums, it is to verify the signatures upstream release managers should be publishing.

it is not a random source, it is an official mirror of savannah, and its administrator is the computer science department of the university of waterloo in canada. it is one of the top CS departments worldwide.

some source codes are mirrored at https://www.kernel.org/pub/ also, and that is not a random source either, as you all know.

this is also something the package maintainers should have been doing. they never check for upstream URL changes and they do not search for better sources. better in every way (data transfer rate, reliability, and security). the upstream of many packages have been signing their source code releases for years, and the public key fingerprints are still missing from the PKGBUILD files. completely unacceptable.

from what i have seen so far, they check these things only when something breaks completely. that is unacceptable and dangerous from a security standpoint.

the goal is to make it as difficult as possible or impossible to have any security problems in the future.

having said all this, i do talk with upstream people about security, but again, it is something the maintainers must do too. after all, they accepted the package maintenance position because they are willing to maintain packages, no?

REPLY TO COMMENT #3:

do not lie to me, and if you are not lying, then ensure that your statements are true before you state anything.

i have found a few PKGBUILD files (without having to go through many of those), where you do not use the master upstream depot as the source. one recently-opened task (https://bugs.archlinux.org/task/49686), is an example of this. i have posted a comment with proper solutions in that task. also, i found one that uses a Debian mirror.

it does not matter if it is the primary download server or one of the primary ones. the question is if we can trust that server and its administrator, and if the job can be done with it. use your brains.

now, about volunteerism. even volunteerism requires commitments. if some of you do not have enough time to do what you must do, say so, and someone else will take your place, temporarily or permanently. all the PKGBUILDs maintained by the archlinux team should have been perfect. we are not talking about AUR here.

adding new tasks about all these things is something that i should have never had to do.

having said all this, that does not mean i do not appreciate all the work you do, but when i see stupidity, carelessness, and laziness, from people who expressed the will to become team members, it means that they do not take their responsibilities seriously. they committed by accepting the position.

Our PKGBUILD should use the master upstream depot as source, period. If the Savannah depot has reliability/security issues, then second-tier mirror inherit those since they sync from the master depot. Now I agree with you that maintainers should update the source URL as the master upstream depot moves, and include tarball signatures if available. And this is what most of us do. If some maintainers do not, remember we are all volunteers and nobody ever has enough free time. You can of course file bugs against the affected packages individually. Cheers.