[arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)
Pierre Schmitz
pierre at archlinux.de
Tue Jun 15 12:37:00 EDT 2010
On Tue, 15 Jun 2010 19:23:14 +0300, Aleksis Jauntēvs
<aleksis.jauntevs at gmail.com> wrote:
> I dont think that repo.db should be signed and it is enough to sign only
> the
> packages. As I understand so far the only reason to sign repo.db file is
> to
> prevent "replay" situations in repos.
It's the other way round: signing the DB is important while signing single
packages is not (but should still be done for some reasons).
If the DB is not signed I could simply add additional packages or replace
packages.
--
Pierre Schmitz, https://users.archlinux.de/~pierre
More information about the arch-general
mailing list