This is an archive of the discontinued LLVM Phabricator instance.

Getting started docs: https, and check signature
ClosedPublic

Authored by jfb on Jun 30 2015, 11:34 AM.

Details

Summary

Download should be over https, not insecure ftp at least for the signature and key files. The signature should also get verified.

Diff Detail

Repository
rL LLVM

Event Timeline

jfb updated this revision to Diff 28803.Jun 30 2015, 11:34 AM
jfb retitled this revision from to Getting started docs: https, and check signature.
jfb updated this object.
jfb edited the test plan for this revision. (Show Details)
jfb added a reviewer: chandlerc.
jfb added a subscriber: Unknown Object (MLST).
This revision was automatically updated to reflect the committed changes.
chandlerc edited edge metadata.Jun 30 2015, 8:42 PM

I mean, this looks good.

But why ask me to review only to commit without waiting? =[ If this were code, I'd be rather annoyed as you know better. As it's just documentation, I'm just a bit annoyed because I pulled up the page to write "LGTM" without any purpose.

jyasskin added inline comments.
llvm/trunk/docs/GettingStarted.rst
331

There's not much point fetching the signing key over exactly the same transport as the data. If someone's compromised ftp.gnu.org, they can replace the key at the same time as they replace the signature. Either trust just HTTPS or fetch the signing key from somewhere else.