On Wed, Jun 21, 2017 at 12:50:15PM +0200, Ludovic Courtès wrote: > Leo Famulari <l...@famulari.name> skribis: > > While working on some package updates, I found that the source code > > downloader will accept an X.509 certificate for an incorrect site.
[...] > IOW, since we’re checking the integrity of the tarball anyway, and we > assume developers checked its authenticity when writing the recipe, then > who cares whether downloads.xiph.org has a valid certificate? > > Does it make sense? Yeah, I think it makes sense if checking the certificates would add too much complexity for what I think is a minor benefit: protecting against exploitation of bugs by MITM (but not xiph.org) in whatever code runs after the connection is initiated and before the hash is calculated. Perhaps a MITM could send a huge file and fill up the disk or something like that. Closing the bug, but more thoughts are welcome!
signature.asc
Description: PGP signature
