FS#65552 - switch to https in PKGBUILDs
Attached to Project:
Arch Linux
Opened by TJ (boogiepop) - Wednesday, 19 February 2020, 02:27 GMT
Last edited by freswa (frederik) - Saturday, 25 April 2020, 11:48 GMT
Opened by TJ (boogiepop) - Wednesday, 19 February 2020, 02:27 GMT
Last edited by freswa (frederik) - Saturday, 25 April 2020, 11:48 GMT
|
Details
Description:
Various PKGBUILD files are downloading source code over plaintext HTTP, allowing for MITM attacks. I've been told by bisson that a script is used to automatically switch "source=" lines to HTTPS if it is available, so I would recommend running it again. As a small example, the following domains support HTTPS but are still being used without it in various PKGBUILDs: http://downloads.sourceforge.net http://search.cpan.org http://www.cpan.org http://download.savannah.gnu.org http://download.kde.org http://netfilter.org http://ftp.sendmail.org http://www.docbook.org http://ftp.gnu.org http://xcache.lighttpd.net http://www.claws-mail.org http://downloads.xiph.org http://www.tcpdump.org http://www.mindrot.org http://www.mirror-service.org Additionally, any PKGBUILDs using... http://ftp.debian.org http://archive.debian.org http://http.debian.net ...can probably be switched to https://deb.debian.org |
This task depends upon
- packages which exist in svn, but were removed from the repos long ago
- packages which were updated to use https in trunk/, but not rebuilt and copied into repos/*
This isn't really actionable. And if it were, we'd still handle it with a todo list, like https://www.archlinux.org/todo/use-gpg-signatures-and-https-sources/ (which supposedly caught most things).