Mark H Weaver (2015-10-07 05:07 +0300) wrote: > Alex Kost <alez...@gmail.com> writes: > >> Ludovic Courtès (2015-10-05 18:55 +0300) wrote: >> >>> Alex Kost <alez...@gmail.com> skribis: >>> >>>> Ludovic Courtès (2015-10-04 19:57 +0300) wrote: >>>> >>>>> However, if this is “too convenient”, I’m afraid this would give an >>>>> incentive to not check OpenPGP signatures when they are available. >>>> >>>> Sorry, I have no idea what it means :-( >>> >>> When upstream digitally signs its source code tarballs, packagers should >>> check those signatures to authenticate the code they have. >>> >>> If the tool makes it too easy to fill out the ‘sha256’ field without >>> going through the trouble of downloading the ‘.sig’ file and checking >>> it, then people will have an incentive not to check those signatures. >> >> Oh, now I see what you mean. Well, I don't know, I think if a user has >> a habbit to check a signature, he will check it anyway; and if not, then >> not. > > I share Ludovic's concern. It is a serious problem if packagers fail to > check signatures. We should not provide mechanisms that encourage such > behavior. It jeopardizes the security of every user of those packages.
OK, apparently I underestimate security issues, thanks. -- Alex
