How exactly is core and extra database populated? Moreover, instead of building all packages in the private PCs of developers Packages are not build on developers computers but on build machines as explained here http://wiki.archlinux.org/index.php/Pacbuild
<http://wiki.archlinux.org/index.php/Pacbuild>There is also an implementation of package signing in pacman on the link Xavier provided some emails up on this conversation. I don't think there is any need to re-think it all. Just need to be tested. I am currently trying to set up a build system on my box and will then try to use these patches to provide feedback. On 15 June 2010 15:57, Dimitrios Apostolou <jimis@gmx.net> wrote:
On Mon, 14 Jun 2010, Denis A. AltoƩ Falqueto wrote:
And keep in mind that package signing per se will not solve this kind of problems. Repository database signing is more important for that solution, but is a problem in the current workflow of Arch developers.
How exactly is core and extra database populated?
Moreover, instead of building all packages in the private PCs of developers, I think it is preferable to submit PKGBUILDs to build servers (via web interface maybe) and let the servers do the build + signing + repoupdate... That way if a developer's system gets compromised his packages will stay clean. Of course that needs extra work and equipment, but perhaps we can agree to it as a future target.
On another note, an easy but maybe a bit costly way to avoid any MITM tampering to packages, is serve *.md5 files for every package through a trusted HTTPS host. Then everyone can query that single host and check if the package he got from a mirror is safe.
Costs: A little more traffic by serving hash files to everyone plus the cost of the certificate from a CA. Is the income Arch receives from ads and schwag enough for such a simple solution?
Dimitris