On Mon, Oct 31, 2016 at 07:18:01PM -0400, Eli Schwartz via arch-general wrote:
On 10/31/2016 05:50 PM, Leonid Isaev wrote:
As a side question... is there a significant difference in signing PKGBUILD vs the compiled package.
Do you realize, when you ask if there is a difference between signing a PKGBUILD vs. a built package, it sounds an awful lot like asking if there is a difference between a PKGBUILD and a built package?
It does not, really...
Given that when building a pkg, I inspect the PKGBUILD, what attack is possible when the PKGBUILD is not signed?
Off the top of my head, there is *the topic of this thread*. Someone could modify the checksums and deliver fake sources. When the PKGBUILD just says "run `make`", how do you tell the difference?
Well, my mentality is that authenticating plain-text data is usually not necessary because a user can always inspect it (notice, I don't care if a PKGBUILD comes from an authentic source, I only care if its not doing smth malicious). This is why I inspect the PKGBUILD and corresponding install files / patches. At least, I thought this is why PKGBUILDs are not signed in the same manner that Gentoo signs ebuilds... Regarding checksums, how did a dev know that upstream sources are authentic? I use a similar judgement (as a practical example, in my packages I always maintain multiple checksums: one from Arch, another from Gentoo, third from Debian/Fedora, and have a keyring with all upstream keys I can get). But anyway, my question has already been answered... Thanks, L. -- Leonid Isaev GPG fingerprints: DA92 034D B4A8 EC51 7EA6 20DF 9291 EE8A 043C B8C4 C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D