Justin Lebar via llvm-dev
2016-Oct-19 04:25 UTC
[llvm-dev] llvm/clang binaries are served over plain http
Hi, folks. Apologies if I'm digging up an old issue that has already been discussed to death. It appears that our download page serves llvm and clang binaries over plain http: http://llvm.org/releases/download.html It seems that it's very likely that the sets of people * who download our binaries, and * who are targeted for surveillance by strong network attackers have a nonempty intersection. So serving binaries over http seems...cavalier? (I see that we do provide .sig files, but we provide no instructions for verifying them. Moreover there's a bootstrapping problem: Presumably I need to get llvm's public key from somewhere, but is *that* served to me in a trustworthy way? But this is all academic, since I'm sure 99% of people who download our binaries don't go through the trouble of verifying signatures manually.) I know none of us are professional sysadmins or anything, but still, it would be cool if we could do right by our users in this respect. -Justin
Anton Korobeynikov via llvm-dev
2016-Oct-19 11:23 UTC
[llvm-dev] llvm/clang binaries are served over plain http
Justin, The Foundation is aware about this issue and we're working on resolving it. On Wed, Oct 19, 2016 at 7:25 AM, Justin Lebar via llvm-dev <llvm-dev at lists.llvm.org> wrote:> Hi, folks. Apologies if I'm digging up an old issue that has already > been discussed to death. > > It appears that our download page serves llvm and clang binaries over > plain http: > > http://llvm.org/releases/download.html > > It seems that it's very likely that the sets of people > > * who download our binaries, and > * who are targeted for surveillance by strong network attackers > > have a nonempty intersection. So serving binaries over http seems...cavalier? > > (I see that we do provide .sig files, but we provide no instructions > for verifying them. Moreover there's a bootstrapping problem: > Presumably I need to get llvm's public key from somewhere, but is > *that* served to me in a trustworthy way? But this is all academic, > since I'm sure 99% of people who download our binaries don't go > through the trouble of verifying signatures manually.) > > I know none of us are professional sysadmins or anything, but still, > it would be cool if we could do right by our users in this respect. > > -Justin > _______________________________________________ > LLVM Developers mailing list > llvm-dev at lists.llvm.org > http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev-- With best regards, Anton Korobeynikov Department of Statistical Modelling, Saint Petersburg State University