Hi. The wiki states that database signatures for pacman are currently
a work in progress. It's been that way for a long time, so I assume
there is no "progress" happening. What is currently in the way of this
much-needed security feature to be fully implemented?
Right now, pacman is taking untrusted input from the internet as root.
That's very bad. Most of the comments I've seen say that an attacker
could hold back vulnerable packages, but this is assuming the attacker
does not have bigger plans. The pacman tool is not immune to bugs in
the way it parses the database files. It has no privilege separation
in the download/parsing code as far as I can see (apt and others have
had this for a long time) so it's really an even more dire situation.
Pacman should not perform any operations as root until it has verified
the signature of all files being used to install/upgrade the packages,
but it currently does everything (downloading, verifying, etc) as root.
I'd like to get a discussion going about how and when these two issues
could be resolved so that all Arch users can be safer. Thanks.