2014/1/12 Taylor Hornby <havoc@defuse.ca>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/12/2014 01:56 PM, Kyle Terrien wrote:
On 01/12/2014 12:40 PM, Taylor Hornby wrote:
I guess I just don't understand what happens when I type "pacman -S firefox." Does that run the PKGBUILD on my system, or does it download and install pre-compiled (and signed) Firefox binaries that were created by one of the Arch developers using the PKGBUILD? "pacman -S firefox" installs a pre-compiled binary maintained by an Arch Dev. On the other hand, PKGBUILDs are for building packages.
And the official firefox package is cryptographically signed by the package maintainer (not Mozilla).
Hopefully, that clears things up.
Thank you, that makes so much more sense!
So, really, the vulnerability only exists while the Arch dev (or package maintainer or whatever they're called) is building the package. Once they do, and sign it, all Arch users will verify their signature to make sure they get the same file the Arch dev created.
That's not so bad, then, since you can't really do any better unless the upstream source (Mozilla) signs their files, and the package maintainer has their public key.
I think this could yet be a problem if the sys admin wants to build all of it's system. Then he will fall into the same problem with the AUR PKGBUILDs, or am i wrong?