On Sun, 2010-06-13 at 10:48 +0100, Ananda Samaddar wrote:
On Sun, 13 Jun 2010 19:48:53 +1000 Allan McRae <allan@archlinux.org> wrote:
This is the reason why we need package signing for Pacman. I'm aware that some progress has been made and it's being worked on. Are there any updates?
Yes... because package signing magically fixes all upstream issues.
Allan
My point was that malicious attackers can add compromise packages to mirrors and alter the repo.db. Package signing would mitigate that. I was attempting to say that what happened in this instance could happen to an Arch mirror or mirrors. There's no need to be rude.
Everytime this comes up the response is the same. Package signing will only be a big deal if enough people are willing to get coding to implement it. Necessity is determined by availability, not the other way round. The way I see it, if noone is willing to work on it, it can't be too important in a general sense.