On Mon, Dec 8, 2008 at 7:08 AM, Dan McGee <dpmcgee@gmail.com> wrote:
On Mon, Dec 8, 2008 at 7:00 AM, Teran McKinney <sega01@gmail.com> wrote:
I like the idea of GPG signed repositories, but they are just about useless if they are signing MD5s. MD5 is very insecure, but good for normal file integrity checking. Can Pacman use SHA-256 or similiar? Another thing to watch out for is malicious publication of old repositories with old and vulnerable packages that have the force option set. I've thought briefly on how to circumvent this, but not enough to have a method I would purpose.
I think you misunderstood completely- try reading this first: http://archlinux.org/pipermail/arch-dev-public/2008-December/009244.html
And sorry about this- I thought I had cross-posted this message to this list, so now I see why it maybe wasn't clear the route we were taking. Let me know if you have questions. -Dan