Am Sat, 29 Nov 2008 15:00:20 +0100 schrieb Thomas Bächler <thomas@archlinux.org>:
Pierre Schmitz schrieb:
The simplest solution would be if we sign the db files (automatically) on gerolde. Of course this is less secure than signing every single package by its packager; but on the other side it would be easy to implement and there would be no overhead for packagers.
If this is to provide any security, we need to stop using md5! md5 is okay when trying to detect corrupted downloads, however it is possible to find collisions and thus build a "bad" package that has the same md5 as the good package.
For myself i don't accept the "md5sum is bad" argument as a "stopper" for each idea to provide a pacman secure concept ;-) Current situation is: Everyone who offers a mirror could provide a manipulated pacman or bash package. He could reduce the content of a binaray to a simple rm -rf, fdisk or something. He only has to tar "his" package and edit the core.db.tar,gz If we sign our db files as a minimum! security: This would make package manipulating more difficult. Content changes of pacman or bash packages (*.pkg.tar.gz) with getting the same md5sum or sha checksum is surely not impossible - but much more difficult as in our current situation. So let's mak a first step! Gerhard