On Tue, Mar 16, 2010 at 1:24 PM, Nilesh Govindarajan <lists@itech7.com> wrote:
On Tue, Mar 16, 2010 at 10:48 PM, Jared Casper <jaredcasper@gmail.com> wrote:
On Tue, Mar 16, 2010 at 8:49 AM, Aaron Griffin <aaronmgriffin@gmail.com> wrote:
On Tue, Mar 16, 2010 at 12:32 AM, Nilesh Govindarajan <lists@itech7.com> wrote:
I don't think we need any security team for Arch. New packages are released within a week of their updates. GPG signing and md5sum verification is a must though.
md5sum verification has ALWAYS been done
In a security context, verification of files installed by a package _after installation_ would be nice. i.e. "pacman --verify /usr/sbin/sshd" would tell me if the md5sum (or sha1sum, etc) of my /usr/sbin/sshd matches that of the official package.
Jared
Let this thread not be just another "Will be nice" one. Pacman devs, please start implementing these package verification things.
Users who want these things, please start joining the pacman dev team.