[arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

Dimitrios Apostolou jimis at gmx.net
Tue Jun 15 09:57:03 EDT 2010


On Mon, 14 Jun 2010, Denis A. Altoé Falqueto wrote:
> And keep in mind that package signing per se will not solve this kind
> of problems. Repository database signing is more important for that
> solution, but is a problem in the current workflow of Arch developers.

How exactly is core and extra database populated?

Moreover, instead of building all packages in the private PCs of 
developers, I think it is preferable to submit PKGBUILDs to build servers 
(via web interface maybe) and let the servers do the build + signing + 
repoupdate... That way if a developer's system gets compromised his 
packages will stay clean. Of course that needs extra work and equipment, 
but perhaps we can agree to it as a future target.

On another note, an easy but maybe a bit costly way to avoid any MITM 
tampering to packages, is serve *.md5 files for every package through a 
trusted HTTPS host. Then everyone can query that single host and check 
if the package he got from a mirror is safe.

Costs: A little more traffic by serving hash files to everyone plus the 
cost of the certificate from a CA. Is the income Arch receives from 
ads and schwag enough for such a simple solution?


Dimitris


More information about the arch-general mailing list