[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#27437: Source downloader accepts X.509 certificate for incorrect dom
|
From: |
Ricardo Wurmus |
|
Subject: |
bug#27437: Source downloader accepts X.509 certificate for incorrect domain |
|
Date: |
Thu, 27 Jul 2017 21:34:29 +0200 |
|
User-agent: |
mu4e 0.9.18; emacs 25.2.1 |
Ludovic Courtès <address@hidden> writes:
> Ricardo Wurmus <address@hidden> skribis:
>
>>>From 44b8f1c04713d11601d964ecfbe2fc248a15e7c0 Mon Sep 17 00:00:00 2001
>> From: Ricardo Wurmus <address@hidden>
>> Date: Fri, 23 Jun 2017 09:24:58 +0200
>> Subject: [PATCH] doc: Encourage signature verification.
>>
>> * doc/contributing.texi (Submitting Patches): Remind contributors to verify
>> cryptographic signatures.
>> ---
>> doc/contributing.texi | 6 ++++++
>> 1 file changed, 6 insertions(+)
>>
>> diff --git a/doc/contributing.texi b/doc/contributing.texi
>> index 925c584e4..0073f2451 100644
>> --- a/doc/contributing.texi
>> +++ b/doc/contributing.texi
>> @@ -334,6 +334,12 @@ updates for a given software package in a single place
>> and have them
>> affect the whole system---something that bundled copies prevent.
>>
>> @item
>> +If the authors of the packaged software provide a cryptographic
>> +signature for the release tarball, make an effort to verify the
>> +authenticity of the archive. For a detached GPG signature file this
>> +would be done with the @code{gpg --verify} command.
>
> I would make it the very first item of the check list.
>
> If that’s fine with you, please push and maybe close the bug!
Looks like I’ve already pushed this a while back. I’ll move it up to
the top of the list. (And I’m closing this bug.)
--
Ricardo
GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC
https://elephly.net