[llvm-dev] llvm/clang binaries are served over plain http

Anton Korobeynikov via llvm-dev llvm-dev at lists.llvm.org
Wed Oct 19 04:23:08 PDT 2016


Justin,

The Foundation is aware about this issue and we're working on resolving it.

On Wed, Oct 19, 2016 at 7:25 AM, Justin Lebar via llvm-dev
<llvm-dev at lists.llvm.org> wrote:
> Hi, folks.  Apologies if I'm digging up an old issue that has already
> been discussed to death.
>
> It appears that our download page serves llvm and clang binaries over
> plain http:
>
>   http://llvm.org/releases/download.html
>
> It seems that it's very likely that the sets of people
>
>  * who download our binaries, and
>  * who are targeted for surveillance by strong network attackers
>
> have a nonempty intersection.  So serving binaries over http seems...cavalier?
>
> (I see that we do provide .sig files, but we provide no instructions
> for verifying them.  Moreover there's a bootstrapping problem:
> Presumably I need to get llvm's public key from somewhere, but is
> *that* served to me in a trustworthy way?  But this is all academic,
> since I'm sure 99% of people who download our binaries don't go
> through the trouble of verifying signatures manually.)
>
> I know none of us are professional sysadmins or anything, but still,
> it would be cool if we could do right by our users in this respect.
>
> -Justin
> _______________________________________________
> LLVM Developers mailing list
> llvm-dev at lists.llvm.org
> http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev



-- 
With best regards, Anton Korobeynikov
Department of Statistical Modelling, Saint Petersburg State University


More information about the llvm-dev mailing list