[arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)
Ng Oon-Ee
ngoonee at gmail.com
Sun Jun 13 06:47:48 EDT 2010
On Sun, 2010-06-13 at 10:48 +0100, Ananda Samaddar wrote:
> On Sun, 13 Jun 2010 19:48:53 +1000
> Allan McRae <allan at archlinux.org> wrote:
>
> > >>
> > >
> > > This is the reason why we need package signing for Pacman. I'm
> > > aware that some progress has been made and it's being worked on.
> > > Are there any updates?
> > >
> >
> > Yes... because package signing magically fixes all upstream issues.
> >
> > Allan
>
> My point was that malicious attackers can add compromise packages to
> mirrors and alter the repo.db. Package signing would mitigate that. I
> was attempting to say that what happened in this instance could happen
> to an Arch mirror or mirrors. There's no need to be rude.
>
Everytime this comes up the response is the same. Package signing will
only be a big deal if enough people are willing to get coding to
implement it. Necessity is determined by availability, not the other way
round.
The way I see it, if noone is willing to work on it, it can't be too
important in a general sense.
More information about the arch-general
mailing list