On 01/12/2014 01:13 PM, Taylor Hornby wrote:
Thank you, that makes so much more sense!
So, really, the vulnerability only exists while the Arch dev (or package maintainer or whatever they're called) is building the package. Once they do, and sign it, all Arch users will verify their signature to make sure they get the same file the Arch dev created.
That's correct! See these pages for more info on how pacman's signature checking works: <https://wiki.archlinux.org/index.php/Pacman#Package_security> <https://wiki.archlinux.org/index.php/Pacman-key>
That's not so bad, then, since you can't really do any better unless the upstream source (Mozilla) signs their files, and the package maintainer has their public key.
To be honest, I'm a little surprised that Mozilla doesn't sign their Firefox source code. Kyle