[arch-general] Arch Linux and security - it needs some work
Nilesh Govindarajan
lists at itech7.com
Sun Jan 31 23:18:45 EST 2010
On 01/31/2010 08:31 PM, Ananda Samaddar wrote:
> I really like Arch. I switched about a year ago after being a Debian
> user for nine years. There is something that troubles me though about
> Arch. Its lack of security focus. By this I mean there is no
> consistent way that security issues are dealt with. There was a
> proposal for 'The Arch Linux Security Team' but it seems to have fallen
> by the wayside[1]. I propose to resurrect this in the spirit of Arch's
> users becoming contributors.
>
> I, hopefully not alone wish to draw up a list of processes that can be
> used to create a dedicated Arch Linux security team that can deal
> quickly and efficiently with security alerts. It would need to be able
> to liaise successfully with Arch developers and hopefully over time
> security team members can become trusted users.
>
> I'm mentioning it now as I notice that an Arch Conference is being
> organised in Canada. One of my proposals (shamefully stolen from
> Debian) would be to have key-signing parties at Arch Linux meet-ups.
> This could then be used to create an Arch Linux web of trust.
>
> So basically I'm going to get my ideas into writing and post them on
> this list. I hope others will be willing to come forward and contribute
> too. After some discussion we should be able to reach a consensus and
> start giving security issues the priority they deserve.
>
> regards,
>
> Ananda Samaddar
>
>
>
> [1] http://wiki.archlinux.org/index.php/Security_Task_Force
>
Key signing is not required for us I think. Because Arch people are the
first to release package updates. It is tested properly and is given in
.tar.gz archives. Even if a byte is altered in the archive then its
md5sum would change so pacman will complain.
--
Nilesh Govindarajan
Site & Server Adminstrator
www.itech7.com
More information about the arch-general
mailing list