X-Authentication-Warning: delorie.com: mail set sender to geda-user-bounces using -f
X-Recipient: geda-user AT delorie DOT com
IronPort-SDR: 36JUSkaITDSyJtSj+OZNOaCp2qSg+nBmWba3ZStUkJPS4aUVKNvVyyiT6FYs5sCaSKMkaKr7kA
 /xzgfZek+i5w==
X-Ironport-SBRS: None
Date: Mon, 11 Jan 2021 19:02:55 -0800
From: "Larry Doolittle (ldoolitt AT recycle DOT lbl DOT gov) [via geda-user AT delorie DOT com]" <geda-user AT delorie DOT com>
To: geda-user <geda-user AT delorie DOT com>
Subject: Re: [geda-user] No https for pcb-rnd
Message-ID: <20210112030255.GA9588@recycle.lbl.gov>
References: <xnim84jsdh DOT fsf AT envy DOT delorie DOT com>
 <197408a7-1183-7805-6f84-7794386c52dc AT fastmail DOT com>
 <CAHUm0tNfewMqL7mpXxuESB+r-vDYhO5vcRp+LfW-wXHjdkh=jw AT mail DOT gmail DOT com>
 <20210111235323 DOT GB9305 AT recycle DOT lbl DOT gov>
 <CAHUm0tMUKMS3Av2MLz+0uR5W+jg4utpmkvNHXYsG5Bvi-HHh+Q AT mail DOT gmail DOT com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAHUm0tMUKMS3Av2MLz+0uR5W+jg4utpmkvNHXYsG5Bvi-HHh+Q@mail.gmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Reply-To: geda-user AT delorie DOT com
Errors-To: nobody AT delorie DOT com
X-Mailing-List: geda-user AT delorie DOT com
X-Unsubscribes-To: listserv AT delorie DOT com
Precedence: bulk

Erich -

On Tue, Jan 12, 2021 at 11:14:34AM +1030, Erich Heinzle (a1039181 AT gmail DOT com) [via geda-user AT delorie DOT com] wrote:
> Indeed, if you don't trust the package maintainers and package submission
> process for your distribution, and don't trust other installed software
> like a browser from a 3rd party source, then https is irrelevant, [...]

I guess what I didn't say explicitly is that enabling https will
reduce the risk that a distribution's capturing of a package source
could be MITMed.  I'm assuming that the package maintainers are
trustworthy but not necessarily hyper-vigilant.

> your browser or local ssh libs can be compromised to perform MITM attacks,
> and if you build from source, you need to trust your compiler... but how do
> you build that from source....

Yes, and everyone here is invited to chip in to the vast, ongoing efforts
to harden open source software projects and supply chains in general.
I mentioned two starting points in my earlier email:
reproducible-builds.org, and bootstrappable.org.
This is of course outside the scope of gEDA.

There are even harder problems to be solved to harden and build trust
in hardware, which is perhaps more on-topic here.
I highly recommend bunnie's 36c3 (December 2019) talk on this subject:

36C3 - Open Source is Insufficient to Solve Trust Problems in Hardware
1:00:45
https://www.youtube.com/watch?v=Hzb37RyagCQ

   - Larry