[arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

[Denis A. Altoé Falqueto]

On Tue, Jun 15, 2010 at 10:57 AM, Dimitrios Apostolou <jimis at gmx.net> wrote:
> On Mon, 14 Jun 2010, Denis A. Altoé Falqueto wrote:
>>
>> And keep in mind that package signing per se will not solve this kind
>> of problems. Repository database signing is more important for that
>> solution, but is a problem in the current workflow of Arch developers.
>
> How exactly is core and extra database populated?
>
> Moreover, instead of building all packages in the private PCs of developers,
> I think it is preferable to submit PKGBUILDs to build servers (via web
> interface maybe) and let the servers do the build + signing + repoupdate...
> That way if a developer's system gets compromised his packages will stay
> clean. Of course that needs extra work and equipment, but perhaps we can
> agree to it as a future target.

Well, in fact, that is the very problem we have. The repository
database files are created remotely and I think that we should avoid
signing files remotely. In fact, a dev's machine is less visible than
the servers of Arch. And sse the response from Ionut too.

I was thinking (see the wiki page for details) in a way to break the
creation of the repo db files in two stages. It probably will be
transparent for the developers. One stage creates the db file and the
other signs, but that must be done locally. I think that creating an
MD5 checksum and signing just that can be a solution.

-- 
A: Because it obfuscates the reading.
Q: Why is top posting so bad?

-------------------------------------------
Denis A. Altoe Falqueto
-------------------------------------------