[bug#29046] [PATCH] gnu: linux-libre: Change URL to HTTPS.

[Mark H Weaver]

Hi Leo,

Leo Famulari <address@hidden> writes:

> On Mon, Oct 30, 2017 at 08:06:39AM +0100, Rutger Helling wrote:
>> I noticed linux-libre had already been updated, so this new patch only
>> changes the URL to HTTPS.
>
>> From b68a2c630258324628a7ef34005ff1d790a3a139 Mon Sep 17 00:00:00 2001
>> From: Rutger Helling <address@hidden>
>> Date: Mon, 30 Oct 2017 08:02:10 +0100
>> Subject: [PATCH] gnu: linux-libre: Change URL to HTTPS.
>> 
>> * gnu/packages/linux.scm (linux-libre): Change URL to HTTPS.
>
> Hi! Thanks for paying attention to the linux-libre packages.
>
> I'm copying Mark on this email, since he typically handles the
> linux-libre packages. Mark, what do you think of this change?

Thanks for bringing this to my attention.

I'm not strongly opposed to it, but in general, I'm not sure I
understand the rationale for changing source URLs to use HTTPS.  We
already verify the authenticity of the downloaded file by SHA256 hash,
and verify the GPG signature when updating to a new version.  Both of
these are far stronger than HTTPS, which in practice can be subverted by
compromising *any* certificate authority listed in our trust database
(in Mozilla NSS).

HTTPS also fails to hide from an evesdropper which file was downloaded,
because in practice that can be determined by the amount of data
transferred.

So, unless I'm mistaken, HTTPS doesn't provide any benefit to us here.
On the other hand, using HTTPS entails using more complex code to
download the files, which exposes a much larger attack surface that
might be exploited to compromise our systems.  Many security flaws have
been uncovered in TLS libraries over the years.  Using HTTPS also adds
more load on the server.

In summary, I'm mildly opposed to this change, but if I've made a
mistake in my reasoning here, or if other people feel strongly, I'm okay
either way.

What do you think?

      Mark