[arch-general] [arch-dev-public] Can we trust our mirrors?
Thomas Bächler
thomas at archlinux.org
Sat Nov 29 20:36:48 EST 2008
Aaron Griffin schrieb:
> I think we're confusing things here. The checksums in pacman are only
> used for integrity, not security. I agree that the first step towards
> super-omg-secure packages would be switching to a different checksum,
> but sha1 might be deemed insecure soon too. Why not jump over that one
> to something like sha256?
Once you sign the repo db file, the checksums are signed as well, so you
cannot change the checksum without invalidating the db signature. If you
would use a secure hash function, this adds a good layer of security
(except for the trust issue).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <http://archlinux.org/pipermail/arch-general/attachments/20081130/0fb13cb1/attachment.pgp>
More information about the arch-general
mailing list