Germano , Are you simple request https on rpm spec ? or something else
? for that you just need make one pull request via github for example
...
On Tue, 2017-07-04 at 18:33 +0200, Germano Massullo wrote:
VLC package shipped by RPMFusion is missing a chain of trust with
upstream developers.
As exhaustively explained by Fabio Pietrosanti (naif) at VLC
bugreport
[1], upstream has the bad habit to ship VLC using http instead of
https.
You should argue that you could use GPG signing verification to avoid
man in the middle attacks (proof concept against VLC upstream at
[2]),
but actually Fedora 25 ships[3] nightlies builds, that are not signed
[4]. Instead, 2.2.6 version used to be at least signed[5], with a
self
signed certificate[6].
I also filled a bugreport at [7]
[1]:
https://trac.videolan.org/vlc/ticket/18472
[2]:
https://github.com/drego85/Why-VLC-NEED-to-enforce-HTTPS
[3]:
https://pkgs.rpmfusion.org/cgit/free/vlc.git/tree/vlc.spec?h=f25
#n4
[4]:
http://nightlies.videolan.org/build/source/
[5]:
http://download.videolan.org/pub/videolan/vlc/2.2.6/
[6]:
http://pgp.mit.edu/pks/lookup?op=vindex&search=0x7180713BE58D1AD
C
[7]:
https://bugzilla.rpmfusion.org/show_bug.cgi?id=4584
_______________________________________________
rpmfusion-developers mailing list -- rpmfusion-developers(a)lists.rpmfu
sion.org
To unsubscribe send an email to rpmfusion-developers-leave(a)lists.rpmf
usion.org --
Sérgio M. B.