[arch-general] [arch-dev-public] Can we trust our mirrors?
Gerhard Brauer
gerhard.brauer at web.de
Sun Nov 30 08:01:29 EST 2008
Am Sun, 30 Nov 2008 07:06:09 -0500
schrieb "Daenyth Blank" <daenyth+arch at gmail.com>:
> On Sun, Nov 30, 2008 at 06:56, solsTiCe d'Hiver
> <solstice.dhiver at gmail.com> wrote:
> > i like the original idea of pierre. i had the same one ;-)
>
> I agree. We can talk until we're blue in the face about the "ideal"
> way to do it, but it doesn't mean a thing if it's not implemented.
> Let's get *something* done, even if it's not ideal.
You are both right.
Let's make a first step with signing the database file - either gpg or
RSA/DSA framework.
Also let's maybe switch package checksumming from md5 to maybe sha512
to get a higher secure of our than signed db/checksum.
In the "ideal solution, the golden way" the database must be signed as
well. So let's start with this. We could get expierience with handling
in repo-add, pacman etc.
In a further step we could think about package signing.
Maybe we/you could implement this as a christmas gift to us users? ;-)
Regards
Gerhard
More information about the arch-general
mailing list