[arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)
Ananda Samaddar
ananda at samaddar.co.uk
Sun Jun 13 05:48:53 EDT 2010
On Sun, 13 Jun 2010 19:48:53 +1000
Allan McRae <allan at archlinux.org> wrote:
> >>
> >
> > This is the reason why we need package signing for Pacman. I'm
> > aware that some progress has been made and it's being worked on.
> > Are there any updates?
> >
>
> Yes... because package signing magically fixes all upstream issues.
>
> Allan
My point was that malicious attackers can add compromise packages to
mirrors and alter the repo.db. Package signing would mitigate that. I
was attempting to say that what happened in this instance could happen
to an Arch mirror or mirrors. There's no need to be rude.
Ananda
More information about the arch-general
mailing list