FS#49721 - [libunwind] Include fingerprint and use https source
Attached to Project:
Arch Linux
Opened by . (bugreport) - Wednesday, 15 June 2016, 08:22 GMT
Last edited by Felix Yan (felixonmars) - Thursday, 16 June 2016, 06:40 GMT
Opened by . (bugreport) - Wednesday, 15 June 2016, 08:22 GMT
Last edited by Felix Yan (felixonmars) - Thursday, 16 June 2016, 06:40 GMT
|
Details
change the source to
https://mirror.csclub.uwaterloo.ca/nongnu/libunwind/
do not forget to include the public key fingerprint |
This task depends upon
Closed by Felix Yan (felixonmars)
Thursday, 16 June 2016, 06:40 GMT
Reason for closing: Implemented
Additional comments about closing: Signature verification enabled in trunk.
Thursday, 16 June 2016, 06:40 GMT
Reason for closing: Implemented
Additional comments about closing: Signature verification enabled in trunk.
some source codes are mirrored at https://www.kernel.org/pub/ also, and that is not a random source either, as you all know.
this is also something the package maintainers should have been doing. they never check for upstream URL changes and they do not search for better sources. better in every way (data transfer rate, reliability, and security). the upstream of many packages have been signing their source code releases for years, and the public key fingerprints are still missing from the PKGBUILD files. completely unacceptable.
from what i have seen so far, they check these things only when something breaks completely. that is unacceptable and dangerous from a security standpoint.
the goal is to make it as difficult as possible or impossible to have any security problems in the future.
having said all this, i do talk with upstream people about security, but again, it is something the maintainers must do too. after all, they accepted the package maintenance position because they are willing to maintain packages, no?
REPLY TO COMMENT #3:
do not lie to me, and if you are not lying, then ensure that your statements are true before you state anything.
i have found a few PKGBUILD files (without having to go through many of those), where you do not use the master upstream depot as the source. one recently-opened task (https://bugs.archlinux.org/task/49686), is an example of this. i have posted a comment with proper solutions in that task. also, i found one that uses a Debian mirror.
it does not matter if it is the primary download server or one of the primary ones. the question is if we can trust that server and its administrator, and if the job can be done with it. use your brains.
now, about volunteerism. even volunteerism requires commitments. if some of you do not have enough time to do what you must do, say so, and someone else will take your place, temporarily or permanently. all the PKGBUILDs maintained by the archlinux team should have been perfect. we are not talking about AUR here.
adding new tasks about all these things is something that i should have never had to do.
having said all this, that does not mean i do not appreciate all the work you do, but when i see stupidity, carelessness, and laziness, from people who expressed the will to become team members, it means that they do not take their responsibilities seriously. they committed by accepting the position.