[arch-dev-public] [RFC] Moving repos to nymeria

Gaetan Bisson bisson at archlinux.org
Sun Sep 16 20:36:01 EDT 2012

[2012-09-16 23:33:39 +0000] Xyne:
> I see now that what I proposed would not ensure the integrity of package
> metadata such as dependencies.

As the metadata is found within packages (.pkg.tar.xz), package
signatures (.pkg.tar.xz.sig) ensure their integrity and, more
importantly, authenticity.

The point of signing the DB is to prevent an attacker from distributing
an outdated Arch package (properly signed by one of our packagers) which
has a known vulnerability.

For this, all we really need to sign is a list of unique identifiers for
the most recent version of all packages in each repos. These identifiers
could be the hash of each package, tuples ($pkgname,$pkgver,$pkgrel),
etc. But of course it is more elegant to simply sign the DB. What
matters is that an attacker cannot withhold one package without
withholding all packages (by withholding the DB and its sig).

So, when an official packager updates the DB, to prevent an attacker
with access to our servers to sneak in an old version of some package,
they really need to check that the DB was properly signed by another
official packager before making changes and signing it themselves. That
is the cryptographically secure way.

The other way which has been proposed is based on the assumption that
some "hardened" server cannot be breached; then we push our changes to
this server and rely on it for automatically signing the DB.


More information about the arch-dev-public mailing list