Am Sun, 30 Nov 2008 07:06:09 -0500 schrieb "Daenyth Blank" <daenyth+arch@gmail.com>:
On Sun, Nov 30, 2008 at 06:56, solsTiCe d'Hiver <solstice.dhiver@gmail.com> wrote:
i like the original idea of pierre. i had the same one ;-)
I agree. We can talk until we're blue in the face about the "ideal" way to do it, but it doesn't mean a thing if it's not implemented. Let's get *something* done, even if it's not ideal.
You are both right. Let's make a first step with signing the database file - either gpg or RSA/DSA framework. Also let's maybe switch package checksumming from md5 to maybe sha512 to get a higher secure of our than signed db/checksum. In the "ideal solution, the golden way" the database must be signed as well. So let's start with this. We could get expierience with handling in repo-add, pacman etc. In a further step we could think about package signing. Maybe we/you could implement this as a christmas gift to us users? ;-) Regards Gerhard