[llvm-dev] llvm/clang binaries are served over plain http
Anton Korobeynikov via llvm-dev
llvm-dev at lists.llvm.org
Wed Oct 19 04:23:08 PDT 2016
Justin,
The Foundation is aware about this issue and we're working on resolving it.
On Wed, Oct 19, 2016 at 7:25 AM, Justin Lebar via llvm-dev
<llvm-dev at lists.llvm.org> wrote:
> Hi, folks. Apologies if I'm digging up an old issue that has already
> been discussed to death.
>
> It appears that our download page serves llvm and clang binaries over
> plain http:
>
> http://llvm.org/releases/download.html
>
> It seems that it's very likely that the sets of people
>
> * who download our binaries, and
> * who are targeted for surveillance by strong network attackers
>
> have a nonempty intersection. So serving binaries over http seems...cavalier?
>
> (I see that we do provide .sig files, but we provide no instructions
> for verifying them. Moreover there's a bootstrapping problem:
> Presumably I need to get llvm's public key from somewhere, but is
> *that* served to me in a trustworthy way? But this is all academic,
> since I'm sure 99% of people who download our binaries don't go
> through the trouble of verifying signatures manually.)
>
> I know none of us are professional sysadmins or anything, but still,
> it would be cool if we could do right by our users in this respect.
>
> -Justin
> _______________________________________________
> LLVM Developers mailing list
> llvm-dev at lists.llvm.org
> http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev
--
With best regards, Anton Korobeynikov
Department of Statistical Modelling, Saint Petersburg State University
More information about the llvm-dev
mailing list