[arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

Guillaume ALAUX guillaume at alaux.net
Tue Jun 15 09:58:55 EDT 2010


>How exactly is core and extra database populated?
> Moreover, instead of building all packages in the private PCs of
developers
Packages are not build on developers computers but on build machines as
explained here http://wiki.archlinux.org/index.php/Pacbuild

<http://wiki.archlinux.org/index.php/Pacbuild>There is also an
implementation of package signing in pacman on the link Xavier provided some
emails up on this conversation. I don't think there is any need to re-think
it all. Just need to be tested.

I am currently trying to set up a build system on my box and will then try
to use these patches to provide feedback.

On 15 June 2010 15:57, Dimitrios Apostolou <jimis at gmx.net> wrote:

> On Mon, 14 Jun 2010, Denis A. Altoé Falqueto wrote:
>
>> And keep in mind that package signing per se will not solve this kind
>> of problems. Repository database signing is more important for that
>> solution, but is a problem in the current workflow of Arch developers.
>>
>
> How exactly is core and extra database populated?
>
> Moreover, instead of building all packages in the private PCs of
> developers, I think it is preferable to submit PKGBUILDs to build servers
> (via web interface maybe) and let the servers do the build + signing +
> repoupdate... That way if a developer's system gets compromised his packages
> will stay clean. Of course that needs extra work and equipment, but perhaps
> we can agree to it as a future target.
>
> On another note, an easy but maybe a bit costly way to avoid any MITM
> tampering to packages, is serve *.md5 files for every package through a
> trusted HTTPS host. Then everyone can query that single host and check if
> the package he got from a mirror is safe.
>
> Costs: A little more traffic by serving hash files to everyone plus the
> cost of the certificate from a CA. Is the income Arch receives from ads and
> schwag enough for such a simple solution?
>
>
> Dimitris
>


More information about the arch-general mailing list