4:33 p.m.
VLC package shipped by RPMFusion is missing a chain of trust with
upstream developers.
As exhaustively explained by Fabio Pietrosanti (naif) at VLC bugreport
[1], upstream has the bad habit to ship VLC using http instead of https.
You should argue that you could use GPG signing verification to avoid
man in the middle attacks (proof concept against VLC upstream at [2]),
but actually Fedora 25 ships[3] nightlies builds, that are not signed
[4]. Instead, 2.2.6 version used to be at least signed[5], with a self
signed certificate[6].
I also filled a bugreport at [7]
[1]: https://trac.videolan.org/vlc/ticket/18472
[2]: https://github.com/drego85/Why-VLC-NEED-to-enforce-HTTPS
[3]: https://pkgs.rpmfusion.org/cgit/free/vlc.git/tree/vlc.spec?h=f25#n4
[4]: http://nightlies.videolan.org/build/source/
[5]: http://download.videolan.org/pub/videolan/vlc/2.2.6/
[6]: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x7180713BE58D1ADC
[7]: https://bugzilla.rpmfusion.org/show_bug.cgi?id=4584
2:33 p.m.
Germano , Are you simple request https on rpm spec ? or something else
? for that you just need make one pull request via github for example
...
On Tue, 2017-07-04 at 18:33 +0200, Germano Massullo wrote:
VLC package shipped by RPMFusion is missing a chain of trust with
upstream developers.
As exhaustively explained by Fabio Pietrosanti (naif) at VLC
bugreport
[1], upstream has the bad habit to ship VLC using http instead of
https.
You should argue that you could use GPG signing verification to avoid
man in the middle attacks (proof concept against VLC upstream at
[2]),
but actually Fedora 25 ships[3] nightlies builds, that are not signed
[4]. Instead, 2.2.6 version used to be at least signed[5], with a
self
signed certificate[6].
I also filled a bugreport at [7]
[1]: https://trac.videolan.org/vlc/ticket/18472
[2]: https://github.com/drego85/Why-VLC-NEED-to-enforce-HTTPS
[3]: https://pkgs.rpmfusion.org/cgit/free/vlc.git/tree/vlc.spec?h=f25
#n4
[4]: http://nightlies.videolan.org/build/source/
[5]: http://download.videolan.org/pub/videolan/vlc/2.2.6/
[6]: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x7180713BE58D1AD
C
[7]: https://bugzilla.rpmfusion.org/show_bug.cgi?id=4584
_______________________________________________
rpmfusion-developers mailing list -- rpmfusion-developers(a)lists.rpmfu
sion.org
To unsubscribe send an email to rpmfusion-developers-leave(a)lists.rpmf
usion.org
--
Sérgio M. B.
3:17 p.m.
On 07/05/2017 10:33 AM, Sérgio Basto wrote:
Germano ,
Are you simple request https on rpm spec ? or something else ? for
that you just need make one pull request via github for example ...
I think he is
concerned that you might have downloaded the source using
http instead of https. That concern is easy to check by downloading the
source via https and comparing the hash of the source in the rpm.
A worse problem is that by default, vlc redirects to mirrors, that do
not all use https, and the nightly versions are not signed. So he is
suggesting that Fedora not use nightly versions - as there is not an
easy chain of trust. However, the chain of trust can still be checked
by manually downloading via https and not using a mirror.
On Tue, 2017-07-04 at 18:33 +0200, Germano Massullo wrote:
> VLC package shipped by RPMFusion is missing a chain of trust with
> upstream developers.
> As exhaustively explained by Fabio Pietrosanti (naif) at VLC bugreport
> [1], upstream has the bad habit to ship VLC using http instead of https.
1:12 a.m.
Germano Massullo wrote:
VLC package shipped by RPMFusion is missing a chain of trust with
upstream developers.
HTTP Source URLs are very common in packages (there are probably dozens of
upstreams still not even supporting HTTPS at all, or using a self-signed or
otherwise invalid certificate), and most upstreams do not sign their
releases at all. So why are you singling out VLC in particular? This is just
how things are in the real world, not much we as downstream can do about it.
Kevin Kofler
2480
days inactive
2488
days old
rpmfusion-developers@lists.rpmfusion.org
3 comments
4 participants
participants (4)
-
Germano Massullo -
Kevin Kofler -
Stuart Gathman -
Sérgio Basto