[arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

Ionuț Bîru biru.ionut at gmail.com
Tue Jun 15 09:59:12 EDT 2010


On 06/15/2010 04:57 PM, Dimitrios Apostolou wrote:
> On Mon, 14 Jun 2010, Denis A. Altoé Falqueto wrote:
>> And keep in mind that package signing per se will not solve this kind
>> of problems. Repository database signing is more important for that
>> solution, but is a problem in the current workflow of Arch developers.
>
> How exactly is core and extra database populated?

repo-add reponame.db.tar.gz packagefile.

on the server we have db-core/extra/testing, which checkouts the package 
build from svn, compare the version and then copy into the directory and 
running repo-add

>
> Moreover, instead of building all packages in the private PCs of
> developers, I think it is preferable to submit PKGBUILDs to build
> servers (via web interface maybe) and let the servers do the build +
> signing + repoupdate... That way if a developer's system gets
> compromised his packages will stay clean. Of course that needs extra
> work and equipment, but perhaps we can agree to it as a future target.
>

i found this annoying since, debugging is more harder, i have to 
download the resulted package to test it, send it, wait for the pool to 
come. is a mess :D

even if my system is compromised, we build our packages in clean chroots.


-- 
Ionuț


More information about the arch-general mailing list