17 Mar
2010
17 Mar
'10
9:06 a.m.
Am 17.03.2010 01:06, schrieb Linas:
There are several ways to close the gap: *Always download the package list from ftp.archlinux.org It's the easier solution, but it only protects against the mirror operator. Moreover, it increases load on that server and makes it a single point of failure.
ftp.archlinux.org is yet another mirror ... a very slow one.
*Package lists are signed from a trusted master key. There may be up to a key per repo. Easy to provide, allows backward compatibility.
Signing databases would work if we had another hash than md5 for packages.
*Packages are automatically signed by ftp.archlinux.org before distributing them.
Hmm, see above.